├── .ansible-lint
├── .editorconfig
├── .gitignore
├── .gitlab-ci.yml
├── .gitlab
└── issue_templates
│ ├── Decommission Server.md
│ ├── New Archive Mirror.md
│ ├── New GitLab Pages Project.md
│ ├── New Mirror.md
│ ├── New Official Project.md
│ ├── Offboarding.md
│ └── Onboarding.md
├── LICENSE
├── README.md
├── ansible.cfg
├── docs
├── backups.md
├── banning.md
├── becoming-devops.md
├── email.md
├── fail2ban.md
├── geomirrors.md
├── grafana.md
├── grow-disks.md
├── kape.md
├── maintenance.md
├── matrix.md
├── monitoring.md
├── otp.md
├── quassel.md
├── rebuilderd.md
├── servers.md
├── ssh-hostkeys.txt
├── ssh-known_hosts.txt
├── testing.md
├── vault-rekeying.md
└── wireguard.md
├── group_vars
├── all
│ ├── archusers.yml
│ ├── common.yml
│ ├── dyn_dns.yml
│ ├── geo.yml
│ ├── gitlab_bots.yml
│ ├── matrix.yml
│ ├── postfix.yml
│ ├── root_access.yml
│ ├── vault_archmanweb.yml
│ ├── vault_archweb.yml
│ ├── vault_archwiki.yml
│ ├── vault_aurweb.yml
│ ├── vault_bugbuddy.yml
│ ├── vault_dyn_dns_keys.yml
│ ├── vault_fluxbb.yml
│ ├── vault_github.yml
│ ├── vault_gitlab.yml
│ ├── vault_gitlab_runner.yml
│ ├── vault_goaurrpc.yml
│ ├── vault_google.yml
│ ├── vault_grafana.yml
│ ├── vault_hedgedoc.yml
│ ├── vault_keycloak.yml
│ ├── vault_loki.yml
│ ├── vault_mailman.yml
│ ├── vault_mariadb.yml
│ ├── vault_matrix.yml
│ ├── vault_mirror.yml
│ ├── vault_monitoring.yml
│ ├── vault_mumble_server.yml
│ ├── vault_postfix.yml
│ ├── vault_postgres.yml
│ ├── vault_prometheus.yml
│ ├── vault_rebuilderd.yml
│ ├── vault_security_tracker.yml
│ ├── vault_terraform.yml
│ └── vault_uptimerobot.yml
├── buildservers.yml
├── geo_mirrors
│ └── misc.yml
├── gitlab_runners.yml
├── hcloud.yml
├── hetzner.yml
├── kape_servers.yml
├── mirrors
│ ├── mirrorsync.yml
│ └── misc.yml
└── rebuilderd_workers.yml
├── host_vars
├── accounts.archlinux.org
│ └── misc.yml
├── america.mirror.pkgbuild.com
│ └── misc.yml
├── archive.archlinux.org
│ └── misc.yml
├── archlinux.org
│ ├── misc.yml
│ └── vault_archlinux.yml
├── asia.mirror.pkgbuild.com
│ └── misc.yml
├── aur.archlinux.org
│ ├── misc.yml
│ └── vault_aurweb.yml
├── bbs.archlinux.org
│ └── misc.yml
├── berlin.mirror.pkgbuild.com
│ └── misc.yml
├── bugbuddy.archlinux.org
│ └── misc.yml
├── build.archlinux.org
│ ├── mirrorsync.yml
│ └── misc.yml
├── dashboards.archlinux.org
│ └── misc.yml
├── debuginfod.archlinux.org
│ ├── mirrorsync.yml
│ └── misc.yml
├── europe.mirror.pkgbuild.com
│ └── misc.yml
├── gitlab.archlinux.org
│ └── misc.yml
├── gluebuddy.archlinux.org
│ └── misc.yml
├── homedir.archlinux.org
│ └── misc.yml
├── johannesburg.mirror.pkgbuild.com
│ └── misc.yml
├── lists.archlinux.org
│ └── misc.yml
├── london.mirror.pkgbuild.com
│ └── misc.yml
├── losangeles.mirror.pkgbuild.com
│ └── misc.yml
├── mail.archlinux.org
│ ├── misc.yml
│ └── wiki-bouncehandler
├── man.archlinux.org
│ └── misc.yml
├── matrix.archlinux.org
│ └── misc.yml
├── md.archlinux.org
│ └── misc.yml
├── mirror.pkgbuild.com
│ └── misc.yml
├── monitoring.archlinux.org
│ ├── misc.yml
│ ├── vault_fastly.yml
│ └── vault_monitoring.yml
├── mumble.archlinux.org
│ └── misc.yml
├── opensearch.archlinux.org
│ └── misc.yml
├── packer-base-image
├── phrik.archlinux.org
│ ├── misc.yml
│ └── vault_bugbot.yml
├── quassel.archlinux.org
│ └── misc.yml
├── redirect.archlinux.org
│ └── misc.yml
├── repos.archlinux.org
│ └── misc.yml
├── repro2.pkgbuild.com
│ └── misc.yml
├── repro3.pkgbuild.com
│ └── misc.yml
├── repro4.pkgbuild.com
│ └── misc.yml
├── reproducible.archlinux.org
│ └── misc.yml
├── runner1.archlinux.org
│ ├── misc.yml
│ └── vault_gitlab_runner.yml
├── runner3.archlinux.org
│ ├── misc.yml
│ └── vault_gitlab_runner.yml
├── secure-runner1.archlinux.org
│ ├── misc.yml
│ └── vault_gitlab_runner.yml
├── security.archlinux.org
│ └── misc.yml
├── singapore.mirror.pkgbuild.com
│ └── misc.yml
├── state.archlinux.org
│ └── misc.yml
├── sydney.mirror.pkgbuild.com
│ └── misc.yml
├── taipei.mirror.pkgbuild.com
│ └── misc.yml
└── wiki.archlinux.org
│ └── misc.yml
├── hosts
├── library
└── dbscripts_mkdirs.py
├── misc
├── borg.sh
├── find-arch-on-crt.sh
├── get_key.py
├── kcadm_wrapper.sh
├── keys
│ ├── README.md
│ ├── arch-boxes.asc
│ └── renovate.asc
├── vault-default-password.gpg
├── vault-keyring-client.sh
├── vault-super-password.gpg
└── vaults
│ ├── additional-credentials.vault
│ ├── vault_archive.yml
│ ├── vault_dnswl.yml
│ ├── vault_docker.yml
│ ├── vault_equinix_metal.yml
│ ├── vault_fastly.yml
│ ├── vault_gandi.yml
│ ├── vault_github.yml
│ ├── vault_hashicorp_cloud.yml
│ ├── vault_hcaptcha.yml
│ ├── vault_hcloud.yml
│ ├── vault_hetzner.yml
│ ├── vault_hetzner_storagebox.yml
│ ├── vault_hetzner_webservice.yml
│ ├── vault_mastodon.yml
│ ├── vault_matrix.yml
│ ├── vault_misaka.yml
│ ├── vault_redhat.yml
│ ├── vault_rsync.net.yml
│ └── vault_tux_si.yml
├── one-shots
├── README.md
└── keycloak-keyfetcher
│ └── get_fingerprint.sh
├── packer
└── archlinux.pkr.hcl
├── playbooks
├── accounts.archlinux.org.yml
├── all-hosts-basic.yml
├── archive-mirrors.yml
├── archive.archlinux.org.yml
├── archlinux.org.yml
├── aur-dev.archlinux.org.yml
├── aur.archlinux.org.yml
├── bbs.archlinux.org.yml
├── bugbuddy.archlinux.org.yml
├── build.archlinux.org.yml
├── dashboards.archlinux.org.yml
├── debuginfod.archlinux.org.yml
├── gitlab-runners.yml
├── gitlab.archlinux.org.yml
├── gluebuddy.archlinux.org.yml
├── hetzner_storagebox.yml
├── homedir.archlinux.org.yml
├── lists.archlinux.org.yml
├── mail.archlinux.org.yml
├── man.archlinux.org.yml
├── matrix.archlinux.org.yml
├── md.archlinux.org.yml
├── mirrors.yml
├── monitoring.archlinux.org.yml
├── mumble.archlinux.org.yml
├── nvchecker-poc.pkgbuild.com.yml
├── opensearch.archlinux.org.yml
├── phrik.yml
├── quassel.archlinux.org.yml
├── rebuilderd-workers.yml
├── redirect.archlinux.org.yml
├── repos.archlinux.org.yml
├── reproducible.archlinux.org.yml
├── rsync.net.yml
├── security.archlinux.org.yml
├── state.archlinux.org.yml
├── tasks
│ ├── fetch-borg-keys.yml
│ ├── include
│ │ ├── post-upgrade.yml
│ │ ├── post-upgrade
│ │ │ ├── borg-clients.yml
│ │ │ ├── build.archlinux.org.yml
│ │ │ └── repos.archlinux.org.yml
│ │ ├── reencrypt-vault-key.yml
│ │ └── upgrade-server.yml
│ ├── install_arch.yml
│ ├── reencrypt-vault-default-key.yml
│ ├── reencrypt-vault-super-key.yml
│ ├── sync-ssh-hostkeys.yml
│ └── upgrade-servers.yml
└── wiki.archlinux.org.yml
├── plugins
└── callback
│ └── auto_tags.py
├── pubkeys
├── ainola.pub
├── alad.pub
├── alerque.pub
├── alex19ep.pub
├── allan.pub
├── alucryd.pub
├── anatolik.pub
├── andrew.pub
├── andrewsc.pub
├── andyrtr.pub
├── anonfunc.pub
├── anthraxx.pub
├── antiz.pub
├── archange.pub
├── arodseth.pub
├── arojas.pub
├── artafinde.pub
├── bastelfreak.pub
├── bertptrs_ganymede.pub
├── bertptrs_rhea.pub
├── bgyorgy.pub
├── blakkheim.pub
├── braindamage.pub
├── carsme.pub
├── cbehan.pub
├── codingkoopa.pub
├── daurnimator.pub
├── dbermond.pub
├── demize.pub
├── denisse.pub
├── det87.pub
├── dvzrv.pub
├── edh.pub
├── eworm.pub
├── fabiscafe.pub
├── faidoc.pub
├── felixonmars.pub
├── ffy00.pub
├── flyingpig.pub
├── foutrelis.pub
├── foutrelis_buildhost.pub
├── foxboron.pub
├── foxxx0.pub
├── freswa.pub
├── grawlinson.pub
├── grazzolini.pub
├── gromit.pub
├── hashworks.pub
├── hashworks_yubikey_5_nfc.pub
├── heftig_build.pub
├── heftig_nitrokey.pub
├── heftig_yubikey.pub
├── idevolder.pub
├── integral.pub
├── jelle.pub
├── jlichtblau.pub
├── jouke.pub
├── jsteel.pub
├── juergen.pub
├── kewl.pub
├── kgizdov.pub
├── klausenbusk.pub
├── kpcyrd.pub
├── lahwaacz.pub
├── lcarlier.pub
├── lfleischer.pub
├── mh4ckt3mh4ckt1c4s.pub
├── morganamilo.pub
├── moson.pub
├── mtorromeo.pub
├── muflone.pub
├── neitsab.pub
├── orhun.pub
├── pierre.pub
├── pitastrudl.pub
├── polyzen.pub
├── ptr1337.pub
├── raffomania.pub
├── raster.pub
├── rgacogne.pub
├── sangy.pub
├── seblu.pub
├── segaja.pub
├── serebit.pub
├── shibumi.pub
├── skydiver.pub
├── speps.pub
├── spupykin.pub
├── strit.pub
├── svartkanin.pub
├── svenstaro.pub
├── tcanabrava.pub
├── torxed.pub
├── tpkessler.pub
├── tpowa.pub
├── wahrwolf.pub
├── wiktor.pub
├── wild.pub
└── yan12125.pub
├── roles
├── alertmanager
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── alertmanager.yml.j2
├── arch_images_sync
│ ├── files
│ │ ├── arch-images-sync.service
│ │ ├── arch-images-sync.sh
│ │ └── arch-images-sync.timer
│ └── tasks
│ │ └── main.yml
├── archbuild
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── clean-chroots
│ │ ├── clean-chroots.service
│ │ ├── clean-chroots.timer
│ │ ├── clean-dests
│ │ ├── clean-dests.service
│ │ ├── clean-dests.timer
│ │ ├── clean-offload-build
│ │ ├── clean-offload-build.service
│ │ ├── clean-offload-build.timer
│ │ ├── devtools-override_arch-nspawn-.scope.conf
│ │ ├── devtools-override_devtools.slice.conf
│ │ ├── devtools-override_user-.slice.conf
│ │ ├── elinks-pkgdiffrepo.conf
│ │ ├── gitconfig
│ │ ├── gitpkg
│ │ ├── mkpkg
│ │ ├── mkpkg@.service
│ │ ├── mkpkg@.timer
│ │ ├── pkgdiffrepo
│ │ ├── strictatime@.service
│ │ ├── sudoers
│ │ ├── var-lib-archbuild.mount
│ │ └── var-lib-archbuilddest.mount
│ ├── handlers
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── archive
│ ├── defaults
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── archive-uploader.service
│ │ ├── archive-uploader.timer
│ │ ├── archive.conf.j2
│ │ ├── repos-archive-puller.service
│ │ ├── repos-archive-puller.timer
│ │ └── rsyncd.conf.j2
├── archive_web
│ ├── defaults
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── nginx.d.conf.j2
├── archmanweb
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ └── robots.txt
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── archmanweb.ini.j2
│ │ ├── archmanweb_update.service.j2
│ │ ├── archmanweb_update.timer.j2
│ │ ├── local_settings.py.j2
│ │ └── nginx.d.conf.j2
├── archusers
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── authorized_keys.j2
├── archweb
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ └── robots.txt
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── archweb-memcached.service.j2
│ │ ├── archweb-mirrorcheck.service.j2
│ │ ├── archweb-mirrorcheck.timer.j2
│ │ ├── archweb-mirrorresolv.service.j2
│ │ ├── archweb-mirrorresolv.timer.j2
│ │ ├── archweb-pgp_import-pacman-hook.j2
│ │ ├── archweb-pgp_import.service.j2
│ │ ├── archweb-planet.service.j2
│ │ ├── archweb-planet.timer.j2
│ │ ├── archweb-populate_signoffs.service.j2
│ │ ├── archweb-populate_signoffs.timer.j2
│ │ ├── archweb-readlinks.service.j2
│ │ ├── archweb-rebuilderd.service.j2
│ │ ├── archweb-rebuilderd.timer.j2
│ │ ├── archweb-reporead.service.j2
│ │ ├── archweb-rsync_iso.service.j2
│ │ ├── archweb-rsync_iso.timer.j2
│ │ ├── archweb.ini.j2
│ │ ├── donor_import_wrapper.sh.j2
│ │ ├── ipxe.archlinux.org.j2
│ │ ├── local_settings.py.j2
│ │ ├── maintenance-nginx.d.conf.j2
│ │ ├── nginx.d.conf.j2
│ │ ├── sudoers-fetchmail-archweb.j2
│ │ ├── well-known-matrix-client.json.j2
│ │ └── well-known-matrix-server.json.j2
├── archwiki
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── nginx-cache-purge
│ │ └── robots.txt
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── LocalSettings.php.j2
│ │ ├── archwiki-question-updater.service.j2
│ │ ├── archwiki-question-updater.timer.j2
│ │ ├── archwiki-runjobs-wait.service.j2
│ │ ├── archwiki-runjobs.service.j2
│ │ ├── archwiki-runjobs.timer.j2
│ │ ├── memcached.service.d-archwiki.conf.j2
│ │ ├── nginx-cache-purge.service.j2
│ │ ├── nginx.d.conf.j2
│ │ └── php-fpm.conf.j2
├── aurweb
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── id_ed25519.vault
│ │ └── robots.txt
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── aurweb-aurblup.service.j2
│ │ ├── aurweb-aurblup.timer.j2
│ │ ├── aurweb-git-archive.service.j2
│ │ ├── aurweb-git-archive.timer.j2
│ │ ├── aurweb-git-auth.sh.j2
│ │ ├── aurweb-git-gc.sh.j2
│ │ ├── aurweb-git-serve.sh.j2
│ │ ├── aurweb-git-update.sh.j2
│ │ ├── aurweb-git.service.j2
│ │ ├── aurweb-git.timer.j2
│ │ ├── aurweb-github-mirror.service.j2
│ │ ├── aurweb-github-mirror.timer.j2
│ │ ├── aurweb-mkpkglists.service.j2
│ │ ├── aurweb-mkpkglists.timer.j2
│ │ ├── aurweb-pkgmaint.service.j2
│ │ ├── aurweb-pkgmaint.timer.j2
│ │ ├── aurweb-popupdate.service.j2
│ │ ├── aurweb-popupdate.timer.j2
│ │ ├── aurweb-usermaint.service.j2
│ │ ├── aurweb-usermaint.timer.j2
│ │ ├── aurweb-votereminder.service.j2
│ │ ├── aurweb-votereminder.timer.j2
│ │ ├── aurweb.service.j2
│ │ ├── aurweb_config.j2
│ │ ├── cgit.ini.j2
│ │ ├── cgitrc.j2
│ │ ├── config.j2
│ │ ├── goaurrpc.conf.j2
│ │ ├── nginx.d.conf.j2
│ │ └── smartgit.ini.j2
├── borg_client
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── borg-backup-offsite.service
│ │ ├── borg-backup.service
│ │ └── borg-backup.timer
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── backup-my.cnf.j2
│ │ ├── backup-mysql.sh.j2
│ │ ├── backup-postgres.sh.j2
│ │ ├── borg-backup.sh.j2
│ │ └── borg.j2
├── borg_server
│ └── tasks
│ │ └── main.yml
├── bugbot
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ └── bugbot.service
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── bugbot.j2
├── bugbuddy
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── bugbuddy-download.sh
│ │ └── bugbuddy.service
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── bugbuddy.conf.j2
├── certbot
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── certbot-renewal.service
│ │ ├── certbot-renewal.timer
│ │ └── hook.sh
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── rfc2136.ini.j2
├── certificate
│ ├── defaults
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── chrony
│ ├── files
│ │ ├── chrony.conf
│ │ └── chronyd
│ ├── handlers
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── common
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── oomd-override_-.slice.conf
│ │ ├── oomd-override_user@.service.conf
│ │ └── smartd.conf
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── journald.conf.j2
│ │ ├── locale.conf.j2
│ │ ├── logrotate.conf.j2
│ │ ├── mirrorlist.j2
│ │ ├── pacman.conf.j2
│ │ ├── system.conf.j2
│ │ └── zram-generator.conf
├── dbscripts
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── archive-cleanup.service
│ │ ├── archive-cleanup.timer
│ │ ├── archive-index.service
│ │ ├── archive-index.timer
│ │ ├── cleanup.service
│ │ ├── cleanup.timer
│ │ ├── createlinks
│ │ ├── createlinks.service
│ │ ├── createlinks.timer
│ │ ├── gen_rsyncd.service
│ │ ├── gen_rsyncd.timer
│ │ ├── gitconfig
│ │ ├── lastsync.service
│ │ ├── lastsync.timer
│ │ ├── sourceballs.service
│ │ ├── sourceballs.timer
│ │ └── sudoers.d
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── authorized_keys-group.j2
│ │ ├── authors.conf.j2
│ │ ├── gen_rsyncd.conf.pl
│ │ ├── nginx.d.conf.j2
│ │ └── rsyncd.conf.proto.j2
├── debuginfod
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── archlinux.png
│ │ ├── index.html
│ │ ├── packagelist.service
│ │ └── packagelist.timer
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── debuginfod.service.j2
│ │ └── nginx.d.conf.j2
├── dovecot
│ ├── files
│ │ ├── dovecot-cleanup.service
│ │ ├── dovecot-cleanup.timer
│ │ ├── shared-mailboxes
│ │ ├── shared-mailboxes-acl
│ │ └── spam-to-folder.sieve
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── dovecot.conf.j2
│ │ └── letsencrypt.hook.d.j2
├── dyn_dns
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── dnsupdate-policy.lua.j2
│ │ └── pdns.conf.j2
├── fail2ban
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ └── fail2ban.xml
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── dovecot.jail.j2
│ │ ├── fail2ban.local.j2
│ │ ├── fail2ban.service.j2
│ │ ├── firewallcmd-ipset-allports.conf.j2
│ │ ├── jail.local.j2
│ │ ├── nginx-limit-req.jail.j2
│ │ ├── postfix.jail.j2
│ │ └── sshd.jail.j2
├── fetchmail
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── fetchmailrc.j2
├── firewalld
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── firewalld.conf.j2
├── fluxbb
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── config.php.j2
│ │ ├── nginx.conf.j2
│ │ └── php-fpm.conf.j2
├── geo_dns
│ ├── files
│ │ └── geoipupdate-pdns-reload.conf
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── geo.yml.j2
│ │ └── pdns.conf.j2
├── geoipupdate
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── GeoIP.conf.j2
├── gitlab
│ ├── files
│ │ ├── gitlab-bot-token-extender.service
│ │ ├── gitlab-bot-token-extender.timer
│ │ ├── gitlab-cleanup.service
│ │ └── gitlab-cleanup.timer
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── gitlab-bot-token-extender.rb.j2
├── gitlab_runner
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── arch-boxes.asc
│ │ ├── daemon.json
│ │ ├── docker.slice
│ │ ├── gitlab-runner-docker-cleanup.service
│ │ ├── gitlab-runner-docker-cleanup.timer
│ │ ├── libvirt-executor
│ │ ├── libvirt-executor-fetch-image
│ │ ├── libvirt-executor-fetch-image.service
│ │ └── libvirt-executor-fetch-image.timer
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── config.toml.j2
│ │ └── domain_template.xml.j2
├── gluebuddy
│ ├── files
│ │ ├── gluebuddy.service
│ │ ├── gluebuddy.timer
│ │ └── gluebuddy_download.sh
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── gluebuddy.conf.j2
├── grafana
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── dashboards
│ │ │ ├── Hedgedoc.json
│ │ │ ├── archive.json
│ │ │ ├── aur-operational.json
│ │ │ ├── aur.json
│ │ │ ├── backups.json
│ │ │ ├── debuginfod.json
│ │ │ ├── geo_mirrors.json
│ │ │ ├── gitlab-metrics.json
│ │ │ ├── goaurrpc.json
│ │ │ ├── keycloak.json
│ │ │ ├── loki.json
│ │ │ ├── nginx-stats.json
│ │ │ ├── nginx_logs.json
│ │ │ ├── node_exporter.json
│ │ │ ├── rebuilderd.json
│ │ │ ├── repository.json
│ │ │ ├── smart.json
│ │ │ └── synapse.json
│ │ └── public-dashboards
│ │ │ ├── archive.json
│ │ │ ├── aur.json
│ │ │ ├── debuginfod.json
│ │ │ ├── geo_mirrors.json
│ │ │ ├── goaurrpc.json
│ │ │ ├── rebuilderd.json
│ │ │ └── repository.json
│ ├── handlers
│ │ └── main.yml
│ ├── scripts
│ │ └── rebase-grafana-ini.sh
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── dashboard.yaml.j2
│ │ ├── datasources.yaml.j2
│ │ ├── grafana.ini.j2
│ │ └── nginx.d.conf.j2
├── hardening
│ ├── files
│ │ ├── 50-bpf_jit_harden.conf
│ │ ├── 50-dmesg-restrict.conf
│ │ ├── 50-kexec_load_disabled.conf
│ │ ├── 50-kptr-restrict.conf
│ │ ├── 50-lockdown.conf
│ │ ├── 50-ptrace-restrict.conf
│ │ ├── 50-unprivileged_bpf_disabled.conf
│ │ └── 50-unprivileged_userns_clone.conf
│ ├── handlers
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── hedgedoc
│ ├── defaults
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── config.json.j2
│ │ ├── hedgedoc.service.d.j2
│ │ └── nginx.d.conf.j2
├── hetzner_storagebox
│ ├── tasks
│ │ ├── main.yml
│ │ └── upload_client_authorized_keys.yml
│ └── templates
│ │ ├── authorized_keys.j2
│ │ └── authorized_keys_client.j2
├── install_arch
│ ├── files
│ │ ├── ec2-public-keys
│ │ ├── ec2-public-keys.service
│ │ └── pacman-init.service
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── mirrorlist.j2
│ │ └── sshd_config.j2
├── keycloak
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ └── create-keycloak-admin.conf
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── admin-user.conf.j2
│ │ ├── keycloak.conf.j2
│ │ └── nginx.d.conf.j2
├── libvirt
│ ├── files
│ │ └── images.xml
│ └── tasks
│ │ └── main.yml
├── loki
│ ├── files
│ │ ├── loki-override.conf
│ │ ├── loki.yaml
│ │ └── rules.yaml
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── nginx.d.conf.j2
├── mailman
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── aliases
│ │ ├── list_base_configuration.json
│ │ ├── mailman.patch
│ │ ├── milter_header_checks
│ │ └── patch-mailman.hook
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── mailman-hyperkitty.cfg.j2
│ │ ├── mailman.cfg.j2
│ │ ├── main.cf.j2
│ │ ├── nginx.d.conf.j2
│ │ └── settings.py.j2
├── maintenance
│ ├── defaults
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── 503.html.j2
│ │ └── nginx-maintenance.conf.j2
├── mariadb
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── client.cnf.j2
│ │ └── server.cnf.j2
├── matrix
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── draupnir.service
│ │ ├── get-oembed-providers.py
│ │ ├── letsencrypt.hook.d
│ │ ├── log_config.yaml
│ │ ├── matrix-appservice-irc.service
│ │ ├── oembed-providers.json
│ │ ├── pg_hba.conf
│ │ ├── synapse-worker@.service
│ │ ├── synapse.service
│ │ ├── turnserver.service.d
│ │ ├── worker-appservice.yaml
│ │ ├── worker-federation_reader.yaml
│ │ ├── worker-federation_sender.yaml
│ │ └── worker-media_repository.yaml
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── appservice-registration-irc.yaml.j2
│ │ ├── draupnir.yaml.j2
│ │ ├── homeserver.yaml.j2
│ │ ├── irc-bridge.yaml.j2
│ │ ├── nginx.d.conf.j2
│ │ └── turnserver.conf.j2
├── memcached
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── memcached-tmpfiles.d.j2
├── mirrorsync
│ ├── tasks
│ │ ├── main.yml
│ │ ├── sync.yml
│ │ └── web.yml
│ └── templates
│ │ ├── mirrorsync.j2
│ │ ├── mirrorsync.service.j2
│ │ ├── mirrorsync.timer.j2
│ │ └── nginx.d.conf.j2
├── mta_sts
│ ├── defaults
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── nginx.d.conf.j2
├── mumble_server
│ ├── files
│ │ └── restart-mumble-server.sh
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── mumble-server.ini.j2
├── networking
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── 50-tcp_fastopen.conf
│ │ ├── dns.conf
│ │ ├── hcloud-init
│ │ └── hcloud-init.service
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── 10-dhcp-ethernet.network.j2
│ │ ├── 10-static-ethernet.network.j2
│ │ ├── 10-static6-ethernet.network.j2
│ │ └── additional_addresses.conf.j2
├── nginx
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── logrotate.conf
│ │ └── nginx.service.d
│ │ │ └── local.conf
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── headers.conf
│ │ ├── letsencrypt.conf
│ │ ├── letsencrypt.hook.d.j2
│ │ ├── listen-443.conf.j2
│ │ ├── nginx-hostname-vhost.conf.j2
│ │ ├── nginx.conf.j2
│ │ └── sslsettings.conf
├── opensearch
│ ├── handlers
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── php_fpm
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── php-fpm@.service
│ │ └── php-fpm@.socket
│ ├── handlers
│ │ └── main.yaml
│ ├── tasks
│ │ └── main.yaml
│ └── templates
│ │ └── php.ini.j2
├── phrik
│ ├── files
│ │ ├── 20-manage-phrik.rules
│ │ ├── phrik.service
│ │ └── sudoers
│ └── tasks
│ │ └── main.yml
├── ping
│ ├── defaults
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── nginx.d.conf.j2
├── postfix
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── bouncehandler.pl
│ │ ├── domains
│ │ └── msa_header_checks
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── aliases.j2
│ │ ├── letsencrypt.hook.d.j2
│ │ ├── main.cf.j2
│ │ ├── master.cf.j2
│ │ ├── transport.pcre.j2
│ │ └── wiki-bouncehandler.conf.j2
├── postfix_null
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── main.cf.j2
│ │ └── relay_passwords.j2
├── postfwd
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── postfwd.cf.j2
├── postgres
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ └── upgrade_pg.sh
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── letsencrypt.hook.d.j2
│ │ ├── pg_hba.conf.j2
│ │ └── postgresql.conf.j2
├── prometheus
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ └── node.rules.yml
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── prometheus.conf.j2
│ │ ├── prometheus.yml.j2
│ │ └── web-config.yml.j2
├── prometheus_exporters
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── arch-textcollector.sh
│ │ ├── archive-textcollector.sh
│ │ ├── borg-offsite-textcollector.sh
│ │ ├── borg-textcollector.sh
│ │ ├── btrfs-textcollector.sh
│ │ ├── fail2ban-textcollector.sh
│ │ ├── gitlab-exporter.timer
│ │ ├── hetzner-textcollector.sh
│ │ ├── rebuilderd-status-textcollector.py
│ │ ├── rebuilderd-textcollector.sh
│ │ ├── repository-textcollector.sh
│ │ ├── smart-textcollector.sh
│ │ └── sudoers
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── blackbox.yml.j2
│ │ ├── fastly-textcollector.sh.j2
│ │ ├── gitlab-exporter.conf.j2
│ │ ├── gitlab-exporter.service.j2
│ │ ├── prometheus-arch-textcollector.service.j2
│ │ ├── prometheus-arch-textcollector.timer.j2
│ │ ├── prometheus-archive-textcollector.service.j2
│ │ ├── prometheus-archive-textcollector.timer.j2
│ │ ├── prometheus-borg-textcollector.service.j2
│ │ ├── prometheus-btrfs-textcollector.service.j2
│ │ ├── prometheus-btrfs-textcollector.timer.j2
│ │ ├── prometheus-fail2ban-textcollector.service.j2
│ │ ├── prometheus-fail2ban-textcollector.timer.j2
│ │ ├── prometheus-fastly-textcollector.service.j2
│ │ ├── prometheus-fastly-textcollector.timer.j2
│ │ ├── prometheus-hetzner-textcollector.service.j2
│ │ ├── prometheus-hetzner-textcollector.timer.j2
│ │ ├── prometheus-memcached-exporter.j2
│ │ ├── prometheus-mysqld-exporter.j2
│ │ ├── prometheus-node-exporter.env.j2
│ │ ├── prometheus-rebuilderd-textcollector.service.j2
│ │ ├── prometheus-rebuilderd-textcollector.timer.j2
│ │ ├── prometheus-repository-textcollector.service.j2
│ │ ├── prometheus-repository-textcollector.timer.j2
│ │ ├── prometheus-smart-textcollector.service.j2
│ │ └── prometheus-smart-textcollector.timer.j2
├── promtail
│ ├── files
│ │ └── override.conf
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── promtail.yaml.j2
├── public_html
│ ├── files
│ │ ├── generate-public_html.service
│ │ ├── generate-public_html.timer
│ │ └── public_html
│ │ │ ├── check_network_status.txt
│ │ │ └── static
│ │ │ ├── archnavbar
│ │ │ ├── archlogo.png
│ │ │ └── archnavbar.css
│ │ │ ├── archweb.css
│ │ │ └── favicon.ico
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── generate-public_html.j2
│ │ └── nginx.d.conf.j2
├── quassel
│ ├── files
│ │ ├── clean-quassel.service
│ │ ├── clean-quassel.timer
│ │ └── quassel.service.d
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── letsencrypt.hook.d.j2
├── rebuilderd
│ ├── defaults
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── nginx.d.conf.j2
│ │ ├── rebuilderd-sync.conf.j2
│ │ └── rebuilderd.conf.j2
├── rebuilderd_worker
│ ├── files
│ │ ├── clean-repro
│ │ ├── clean-repro.service
│ │ ├── clean-repro.timer
│ │ └── repro.conf
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── rebuilderd-worker.conf.j2
├── redirects
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ └── maps
│ │ │ └── cgit-migrated-repos.map
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── nginx.d.conf.j2
├── root_ssh
│ ├── defaults
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── authorized_keys.j2
├── rspamd
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── archlinux.org.dkim-ed25519.key.vault
│ │ ├── archlinux.org.dkim-rsa.key.vault
│ │ ├── lists.archlinux.org.dkim-ed25519.key.vault
│ │ ├── lists.archlinux.org.dkim-rsa.key.vault
│ │ └── local.d
│ │ │ ├── headers_group.conf
│ │ │ ├── logging.inc
│ │ │ ├── milter_headers.conf
│ │ │ ├── options.inc
│ │ │ └── redis.conf
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── dkim_signing.conf.j2
├── rsync_net
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── authorized_keys.j2
├── security_tracker
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── security-tracker-update.service
│ │ └── security-tracker-update.timer
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── 20-user.local.conf.j2
│ │ ├── nginx.d.conf.j2
│ │ └── security-tracker.ini.j2
├── sources
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── nginx.d.conf.j2
├── sshd
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ ├── motd.j2
│ │ └── sshd_config.j2
├── sudo
│ ├── defaults
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── syncrepo
│ ├── files
│ │ ├── rsyncd.conf
│ │ └── syncrepo-template.sh
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── nginx.d.conf.j2
├── tempo
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── config.yml.j2
├── terraform_state
│ ├── defaults
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── tools
│ └── tasks
│ │ └── main.yml
├── unbound
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── unbound.conf.j2
├── uwsgi
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── emperor.ini.j2
├── valkey
│ └── tasks
│ │ └── main.yml
└── wireguard
│ ├── handlers
│ └── main.yml
│ ├── tasks
│ └── main.yml
│ └── templates
│ ├── wg0.netdev.j2
│ └── wg0.network.j2
├── tf-stage1
├── .terraform.lock.hcl
├── archlinux.tf
├── templates.tf
└── versions.tf
└── tf-stage2
├── .terraform.lock.hcl
├── keycloak.tf
├── uptimerobot.tf
└── versions.tf
/.editorconfig:
--------------------------------------------------------------------------------
1 | root = true
2 |
3 | [*]
4 | charset = utf-8
5 | end_of_line = lf
6 | insert_final_newline = true
7 | trim_trailing_whitespace = true
8 |
9 | [*.yml]
10 | indent_size = 2
11 | indent_style = space
12 |
13 | [*.py]
14 | indent_size = 4
15 | indent_style = space
16 |
17 | [.git*]
18 | indent_size = 8
19 | indent_style = tab
20 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | *.retry
3 | *.terraform
4 | *.tfstate*
5 | /borg-keys/
6 |
--------------------------------------------------------------------------------
/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | inventory = hosts
3 | library = library
4 | remote_tmp = $HOME/.ansible/tmp
5 | remote_user = root
6 | nocows = 1
7 | roles_path = roles
8 | vault_id_match = True
9 | vault_identity_list = default@misc/vault-keyring-client.sh,super@misc/vault-keyring-client.sh
10 | retry_files_enabled = False
11 | callback_plugins = plugins/callback
12 | callbacks_enabled = profile_tasks
13 | max_diff_size = 250000
14 | stdout_callback = debug
15 | interpreter_python = /usr/bin/python
16 |
17 | [ssh_connection]
18 | pipelining = True
19 | scp_if_ssh = True
20 | retries = 5
21 |
--------------------------------------------------------------------------------
/docs/kape.md:
--------------------------------------------------------------------------------
1 | ## Kape Servers
2 |
3 | All donated servers are with EFI except runner1.archlinux.org.
4 |
5 | ### Archive mirrors
6 |
7 | Three servers have set up as archive and regular mirrors:
8 |
9 | * america.mirror.pkgbuild.com
10 | * asia.mirror.pkgbuild.com
11 | * europe.mirror.pkgbuild.com
12 |
13 | The servers have been setup as RAID 5 with 3 x 10TB disks.
14 |
15 | ### Gitlab runner
16 |
17 | A runner is setup on a 2xE5-2620v4 - 64GB - 2x 1TB SSD as runner1.archlinux.org.
18 |
19 | ### Rebuilderd worker
20 |
21 | A rebuilderd worker is setup on a EPYC - 256GB - 2x 500GB SSD as repro2.pkgbuild.com
22 |
--------------------------------------------------------------------------------
/docs/testing.md:
--------------------------------------------------------------------------------
1 | ## Testing Ansible Roles
2 |
3 | The following projects have been created to allow testing Ansible roles locally to some level:
4 |
5 | - [foxboron/infrastructure-shim](https://gitlab.archlinux.org/foxboron/infrastructure-shim) (uses LXD)
6 | - [lahwaacz/infrastructure-testing](https://gitlab.archlinux.org/lahwaacz/infrastructure-testing) (uses systemd-nspawn)
7 |
--------------------------------------------------------------------------------
/group_vars/all/common.yml:
--------------------------------------------------------------------------------
1 | filesystem: btrfs
2 | configure_firewall: true
3 |
4 | # this is used by the maintenance role to get the ip address
5 | # of the machine running the playbook
6 | maintenance_remote_machine: "{{ hostvars[inventory_hostname]['ansible_env'].SSH_CLIENT.split(' ')[0] }}"
7 |
8 | # prometheus-node-exporter port
9 | prometheus_exporter_port: '9100'
10 | prometheus_memcached_exporter_port: '9150'
11 |
--------------------------------------------------------------------------------
/group_vars/all/geo.yml:
--------------------------------------------------------------------------------
1 | geo_acme_dns_challenge_ns: redirect.archlinux.org
2 | geo_domains:
3 | - geo.mirror.pkgbuild.com
4 | - riscv.mirror.pkgbuild.com
5 | # geo_options.*.hosts defaults to "{{ groups['geo_mirrors'] }}"
6 | geo_options:
7 | geo.mirror.pkgbuild.com:
8 | health_check_path: /lastupdate
9 | riscv.mirror.pkgbuild.com:
10 | health_check_path: /.status/lastupdate.txt
11 |
--------------------------------------------------------------------------------
/group_vars/all/matrix.yml:
--------------------------------------------------------------------------------
1 | matrix_domain: "matrix.archlinux.org"
2 |
3 | # Same as archweb_domain
4 | matrix_server_name: "archlinux.org"
5 |
--------------------------------------------------------------------------------
/group_vars/all/postfix.yml:
--------------------------------------------------------------------------------
1 | # This is overridden for the actual mail server which uses mail.archlinux.org.
2 | mail_domain: "{{ inventory_hostname }}"
3 |
4 | # password used by postfix for relaying to a central smtp server
5 | postfix_relay_password: "{{ vault_postfix_relay_password }}"
6 |
--------------------------------------------------------------------------------
/group_vars/all/vault_aurweb.yml:
--------------------------------------------------------------------------------
1 | $ANSIBLE_VAULT;1.1;AES256
2 | 38383639393932666334353834613134353965333939343530636234353536366138346137613636
3 | 3439373136366635623339626236663338623237313135630a333939303839303738653835316430
4 | 37363337386331323263623837373032646438326334623436313034353032386535656139353264
5 | 3834613539356336310a383230373736346434656361333134353136366430393130396466643561
6 | 61356162353661633736356431646538643138383766333763626335393135343363316166656461
7 | 30663961336136356134333231316232653664343839616235396562376436363837356563616136
8 | 656332343163376332636131333166623362
9 |
--------------------------------------------------------------------------------
/group_vars/all/vault_gitlab_runner.yml:
--------------------------------------------------------------------------------
1 | $ANSIBLE_VAULT;1.1;AES256
2 | 30333037346139373364316435663432353730393563336438323930613638323532613839323264
3 | 3731623965643333633436636135346438313566633830300a343732353634396137323733343164
4 | 62663231653761356135353465393264313435323466633561663131366531373931366636336364
5 | 6539666664333038650a623565653730303733316261303162343834373364393837613733313635
6 | 62333438613665363430363565373434346632643063383730346634356235313861626538313533
7 | 33343835356533396435666132383936643533653232333632653864636330613163633263343864
8 | 303335316635303833393361366236616232
9 |
--------------------------------------------------------------------------------
/group_vars/all/vault_goaurrpc.yml:
--------------------------------------------------------------------------------
1 | $ANSIBLE_VAULT;1.1;AES256
2 | 64356530383261396436353036356166656231363964356266313061393935636365353931333632
3 | 3566333830343965653766316236633563353662633031610a663030643166313432336337346430
4 | 35326662346566383630653433633230613665333264313036303038663063366561636466633635
5 | 6131656134333232640a386363643834383363643665343333653531653231346565393764366137
6 | 35303637316530623136373838626536373265633836623937326234353133383235646461343635
7 | 31346335353939333532336463616130323338316236376163383033313134323133333539613139
8 | 623764623337366432393537353733613538
9 |
--------------------------------------------------------------------------------
/group_vars/all/vault_loki.yml:
--------------------------------------------------------------------------------
1 | $ANSIBLE_VAULT;1.1;AES256
2 | 36343338303264623636613438383661393233333533613932303139323937326536646364623438
3 | 3765613735386638326466376439313639313832313664640a323135636231383964333063383438
4 | 30616630386363373835613464633664663261306336633738333066386638623962323531656136
5 | 6161356535383532370a393032646230393637613239303637353535656231626639636166353034
6 | 63613438633538316263623135373365393632353933613233363233663936303137303133643531
7 | 61383233646234336430326133663333356562303830333765633635363561313439303435323966
8 | 313731353436383661333531666362613566
9 |
--------------------------------------------------------------------------------
/group_vars/all/vault_mariadb.yml:
--------------------------------------------------------------------------------
1 | $ANSIBLE_VAULT;1.1;AES256
2 | 32613962396662633337333737663063633663653135303963393664326566346263316336353230
3 | 6534633362383730336632323233393139383739366534310a633738666239363831393063373032
4 | 38623562303235393766356431383664303165663339316165383861383763643238323962626636
5 | 6538313835666332330a306531366564336562646237376632663837356435356231306536653030
6 | 33353664333337396630343538343135333264663234333832643638313461636433663064623235
7 | 31636566366364623332303331623333303339393237396537653565373264653030636365643861
8 | 666632313435393936663864373362623036
9 |
--------------------------------------------------------------------------------
/group_vars/all/vault_postfix.yml:
--------------------------------------------------------------------------------
1 | $ANSIBLE_VAULT;1.1;AES256
2 | 39383736613436343463623136363863666435323434663561363830303734626239353266313162
3 | 3637613537353934366632386133623838306531663063620a643265373435356438653437623562
4 | 65613131303961623738613864376631666436326138616438306265306333303330643033663862
5 | 3632623864383132310a363361343734623666653665613739636262663132303165653664353637
6 | 34376132303032336632333836656635653536626339323933393831333933616332383165333166
7 | 64356664353239326539323466633936316235613931393635333165373661386530343765323338
8 | 613561343138386364643839653438396437
9 |
--------------------------------------------------------------------------------
/group_vars/all/vault_terraform.yml:
--------------------------------------------------------------------------------
1 | $ANSIBLE_VAULT;1.1;AES256
2 | 33643061623037323232656339333436366662643436353531666164326335366331303162623738
3 | 3832356362313364333432616161366433396133393535630a316666636662383935343265363539
4 | 63313331383238396632623863383465393632363533613966663830396165643435646435333664
5 | 3665633863653439660a326437363636326433393065616462323362343933656461386134343633
6 | 30346231633634306466333936363932636365306262393465356436613665376237323064303164
7 | 38663130646338626338353137643436333863316634623434633838656262323132363732316464
8 | 393434616235626231666139633135306632
9 |
--------------------------------------------------------------------------------
/group_vars/buildservers.yml:
--------------------------------------------------------------------------------
1 | enable_zram_swap: true
2 |
--------------------------------------------------------------------------------
/group_vars/geo_mirrors/misc.yml:
--------------------------------------------------------------------------------
1 | certbot_dns_support: true
2 | certbot_tsig_name: certbot
3 | geo_mirror_domain: geo.mirror.pkgbuild.com
4 |
--------------------------------------------------------------------------------
/group_vars/gitlab_runners.yml:
--------------------------------------------------------------------------------
1 | enable_zram_swap: true
2 | gitlab_runner_exporter_port: 9252
3 |
--------------------------------------------------------------------------------
/group_vars/hcloud.yml:
--------------------------------------------------------------------------------
1 | enable_zram_swap: true
2 | configure_network: true
3 | dhcp: true
4 |
--------------------------------------------------------------------------------
/group_vars/hetzner.yml:
--------------------------------------------------------------------------------
1 | configure_network: true
2 |
--------------------------------------------------------------------------------
/group_vars/kape_servers.yml:
--------------------------------------------------------------------------------
1 | configure_network: true
2 |
--------------------------------------------------------------------------------
/group_vars/mirrors/misc.yml:
--------------------------------------------------------------------------------
1 | archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
2 |
3 | # raise tcp window limits to 32MiB
4 | tcp_rmem: "10240 87380 33554432"
5 | tcp_wmem: "10240 87380 33554432"
6 |
7 | nginx_enable_http3: true
8 |
--------------------------------------------------------------------------------
/group_vars/rebuilderd_workers.yml:
--------------------------------------------------------------------------------
1 | enable_zram_swap: true
2 |
--------------------------------------------------------------------------------
/host_vars/accounts.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | wireguard_address: 10.0.0.16
2 | wireguard_public_key: crSq52AQ/ODcZekod0Xw/fBRALl3yv51gNMgPSFrxWc=
3 |
--------------------------------------------------------------------------------
/host_vars/america.mirror.pkgbuild.com/misc.yml:
--------------------------------------------------------------------------------
1 | archive_domain: "america.archive.pkgbuild.com"
2 | mirror_domain: "america.mirror.pkgbuild.com"
3 | archweb_mirrorcheck_locations: [14, 15]
4 | ipv4_address: "143.244.34.62"
5 | ipv4_netmask: "/25"
6 | ipv4_gateway: "143.244.34.126"
7 | ipv6_address: "2a02:6ea0:cc0e::2"
8 | ipv6_netmask: "/128"
9 | ipv6_gateway: "2a02:6ea0:cc0e::1337"
10 | network_interface: "enp1s0f1"
11 | system_disks:
12 | - /dev/sda
13 | - /dev/sdb
14 | - /dev/sdc
15 | raid_level: "raid5"
16 | wireguard_address: 10.0.0.27
17 | wireguard_public_key: 5oI+dah4LlkUPBs/JI5lJAgDxBQa/+ofu0hLfxAkcio=
18 |
--------------------------------------------------------------------------------
/host_vars/archive.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | ipv4_address: "49.12.124.107"
2 | ipv4_netmask: "/32"
3 | ipv6_address: "2a01:4f8:242:5614::2"
4 | ipv6_netmask: "/128"
5 | ipv4_gateway: "49.12.124.65"
6 | ipv6_gateway: "fe80::1"
7 | system_disks:
8 | - /dev/sda
9 | - /dev/sdb
10 | - /dev/sdc
11 | - /dev/sdd
12 | raid_level: "raid10"
13 |
14 | archive_domain: archive.archlinux.org
15 | wireguard_address: 10.0.0.20
16 | wireguard_public_key: GiMqMcJ7aEuW6rRwXsj27S+w7orx7Etnjq+dE6RhoSc=
17 |
--------------------------------------------------------------------------------
/host_vars/archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | fetchmail_user: "donate@archlinux.org"
2 | fetchmail_delivery_cmd: "/usr/local/bin/donor_import_wrapper.sh"
3 |
4 | ipv4_address: "95.217.163.246"
5 | ipv6_address: "2a01:4f9:c010:6b1f::1"
6 |
7 | fail2ban_jails:
8 | sshd: true
9 | postfix: false
10 | dovecot: false
11 | nginx_limit_req: true
12 | wireguard_address: 10.0.0.1
13 | wireguard_public_key: 2Mk9WPdkf+1Q6Kk6g5eeX5xSHfCisiGJAdmSjRyefBo=
14 | nginx_enable_http3: true
15 |
--------------------------------------------------------------------------------
/host_vars/archlinux.org/vault_archlinux.yml:
--------------------------------------------------------------------------------
1 | $ANSIBLE_VAULT;1.1;AES256
2 | 66373466643262646662323338363436303635633365646439633336663563326432653166313130
3 | 3161633361363235326432306266613462643962663734340a326563363165336530353965653763
4 | 35663337356138363261336163613733633435363733383064393566623561613537346132626535
5 | 6362666333643936320a343439373362323736303363393330613961366165633433643364336661
6 | 35633537383238336363346234633033643561353935373766623537613239396334353338396232
7 | 36313136636166323534636332393332356466326534333233363134626565313334343962316538
8 | 313130313634373237623835323530663264
9 |
--------------------------------------------------------------------------------
/host_vars/asia.mirror.pkgbuild.com/misc.yml:
--------------------------------------------------------------------------------
1 | archive_domain: "asia.archive.pkgbuild.com"
2 | mirror_domain: "asia.mirror.pkgbuild.com"
3 | archweb_mirrorcheck_locations: [16, 17]
4 | ipv4_address: "84.17.57.98"
5 | ipv4_netmask: "/24"
6 | ipv4_gateway: "84.17.57.110"
7 | ipv6_address: "2a02:6ea0:d605::2"
8 | ipv6_netmask: "/128"
9 | ipv6_gateway: "2a02:6ea0:d605::1337"
10 | network_interface: "enp175s0f0"
11 | system_disks:
12 | - /dev/sda
13 | - /dev/sdb
14 | - /dev/sdc
15 | raid_level: "raid5"
16 | wireguard_address: 10.0.0.26
17 | wireguard_public_key: cU2/3DKCNCWJwZP6SF7ifKHS+VFeC7VQ212eTof8IxU=
18 |
--------------------------------------------------------------------------------
/host_vars/aur.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | fail2ban_jails:
2 | sshd: true
3 | postfix: false
4 | dovecot: false
5 | nginx_limit_req: true
6 | memcached_socket: "/run/memcached/aurweb.sock"
7 | wireguard_address: 10.0.0.2
8 | wireguard_public_key: 51KGJWs3ZlI4tEdOpYFENhf22aETQEn9ApbmVyiF4zQ=
9 | nginx_enable_http3: true
10 |
--------------------------------------------------------------------------------
/host_vars/bbs.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | wireguard_address: 10.0.0.17
2 | wireguard_public_key: F5gX6SV5aka/fxEkgsVm1YRCYoeDY6d/H5C9U3/SrVU=
3 |
--------------------------------------------------------------------------------
/host_vars/berlin.mirror.pkgbuild.com/misc.yml:
--------------------------------------------------------------------------------
1 | mirror_domain: berlin.mirror.pkgbuild.com
2 | ipv4_address: 45.142.247.77
3 | ipv4_netmask: /32
4 | ipv4_gateway: 100.100.0.0
5 | ipv6_address: 2a12:8d02:2100:10d:26a3:f0ff:fe47:bfaf
6 | ipv6_netmask: /64
7 | ipv6_gateway: fe80::1
8 | ipv6_ignore_ra: true
9 | network_interface: enp3s0
10 | system_disks:
11 | - /dev/vda
12 |
13 | wireguard_address: 10.0.0.48
14 | wireguard_public_key: ziVw29XM42aAD7Ur3n63Ic5vAyYO0xoxqfKKW/iBmAA=
15 |
--------------------------------------------------------------------------------
/host_vars/bugbuddy.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | wireguard_address: 10.0.0.44
2 | wireguard_public_key: /x1Czg/8u24dVhi+WMSGeSbw2HKk3la0K8X1WsDk7yA=
3 |
--------------------------------------------------------------------------------
/host_vars/build.archlinux.org/mirrorsync.yml:
--------------------------------------------------------------------------------
1 | ../../group_vars/mirrors/mirrorsync.yml
--------------------------------------------------------------------------------
/host_vars/build.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | network_interface: "enp193s0f0np0"
2 | ipv4_address: "162.55.28.166"
3 | ipv4_netmask: "/32"
4 | ipv6_address: "2a01:4f8:2190:20e0::2"
5 | ipv6_netmask: "/64"
6 | ipv4_gateway: "162.55.28.129"
7 | ipv6_gateway: "fe80::1"
8 | system_disks:
9 | - /dev/nvme0n1
10 | - /dev/nvme1n1
11 | raid_level: "raid1"
12 |
13 | archbuild_fs: 'btrfs'
14 | wireguard_address: 10.0.0.18
15 | wireguard_public_key: 9Lii487Uuzu5ihJwHx6RBpCiUWRHl9VGwC+Oz5wzejk=
16 |
--------------------------------------------------------------------------------
/host_vars/dashboards.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | ipv4_address: 157.90.255.107
2 | wireguard_address: 10.0.0.33
3 | wireguard_public_key: Vv2qAjdcPpAvt1hOV5zc4WR6iTqmiPdDNr5+9Wv2Jw4=
4 |
--------------------------------------------------------------------------------
/host_vars/debuginfod.archlinux.org/mirrorsync.yml:
--------------------------------------------------------------------------------
1 | ../../group_vars/mirrors/mirrorsync.yml
--------------------------------------------------------------------------------
/host_vars/debuginfod.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | ipv4_address: 168.119.240.111
2 | ipv6_address: 2a01:4f8:c010:74d4::1
3 | wireguard_address: 10.0.0.35
4 | wireguard_public_key: R3ZlD7HmoiGH2FyIGSaiYc1hIA7JHp3ivXQlRGc7iyA=
5 |
--------------------------------------------------------------------------------
/host_vars/europe.mirror.pkgbuild.com/misc.yml:
--------------------------------------------------------------------------------
1 | archive_domain: "europe.archive.pkgbuild.com"
2 | mirror_domain: "europe.mirror.pkgbuild.com"
3 | archweb_mirrorcheck_locations: [18, 19]
4 | ipv4_address: "89.187.191.12"
5 | ipv4_netmask: "/26"
6 | ipv4_gateway: "89.187.191.62"
7 | ipv6_address: "2a02:6ea0:c237::2"
8 | ipv6_netmask: "/128"
9 | ipv6_gateway: "2a02:6ea0:c237::1337"
10 | network_interface: "enp1s0f1"
11 | system_disks:
12 | - /dev/sda
13 | - /dev/sdb
14 | - /dev/sdc
15 | raid_level: "raid5"
16 | wireguard_address: 10.0.0.28
17 | wireguard_public_key: 3C9yMutZJfOn2UkOhnGeM9DnLFJaeo6uTY9CGRlBZVM=
18 |
--------------------------------------------------------------------------------
/host_vars/gitlab.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | ansible_port: 2222
2 | sshd_port: 2222
3 | enable_zram_swap: true
4 | additional_addresses: ["213.133.111.6/32", "2a01:4f8:222:174c::2/64"]
5 | wireguard_address: 10.0.0.5
6 | wireguard_public_key: ebEWzriL3dohjDP49Hp+SGHZBnzx8fjnohDN3igQlCc=
7 | network_interface: "en*"
8 | ipv4_address: "213.133.111.15"
9 | ipv4_netmask: "/32"
10 | ipv6_address: "2a01:4f8:222:174c::1"
11 | ipv6_netmask: "/64"
12 | ipv4_gateway: "213.133.111.1"
13 | ipv6_gateway: "fe80::1"
14 | system_disks:
15 | - /dev/nvme0n1
16 | - /dev/nvme1n1
17 |
--------------------------------------------------------------------------------
/host_vars/gluebuddy.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | wireguard_address: 10.0.0.36
2 | wireguard_public_key: YqQMISqTUwXPphhfBDXGcbwjEkz8xgtsnaazFCIGgmk=
3 |
--------------------------------------------------------------------------------
/host_vars/homedir.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | wireguard_address: 10.0.0.13
2 | wireguard_public_key: 67qt5z1YsqhLTnMFo96YoDwtXDFmukF3EcWtrV5ZCHA=
3 |
--------------------------------------------------------------------------------
/host_vars/johannesburg.mirror.pkgbuild.com/misc.yml:
--------------------------------------------------------------------------------
1 | mirror_domain: johannesburg.mirror.pkgbuild.com
2 | ipv4_address: 102.130.49.241
3 | ipv4_netmask: /32
4 | ipv4_gateway: 100.100.0.0
5 | ipv6_address: 2a0b:4342:1a91:3b5:26a3:f0ff:fe49:9bf9
6 | ipv6_netmask: /64
7 | ipv6_gateway: fe80::1
8 | ipv6_ignore_ra: true
9 | network_interface: enp3s0
10 | system_disks:
11 | - /dev/vda
12 |
13 | wireguard_address: 10.0.0.49
14 | wireguard_public_key: iteueE5NMEMCiqItSIDWmvi5OxSBzjnNaHA8APZ9eCE=
15 |
--------------------------------------------------------------------------------
/host_vars/lists.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | ipv4_address: 95.217.236.249
2 | wireguard_address: 10.0.0.34
3 | wireguard_public_key: XUbI7fDRKPbG/MIfgH3c4fNhC28F4aXWvknOEV3CxUg=
4 |
--------------------------------------------------------------------------------
/host_vars/london.mirror.pkgbuild.com/misc.yml:
--------------------------------------------------------------------------------
1 | mirror_domain: "london.mirror.pkgbuild.com"
2 | archweb_mirrorcheck_locations: [22, 23]
3 | ipv4_address: "185.73.44.89"
4 | ipv4_netmask: "/22"
5 | ipv4_gateway: "185.73.44.1"
6 | ipv6_address: "2001:ba8:0:4030::2"
7 | ipv6_netmask: "/64"
8 | ipv6_gateway: "fe80::fcff:ffff:feff:ffff"
9 | network_interface: "enX0"
10 | system_disks:
11 | - /dev/xvda1
12 | extra_disks:
13 | - /dev/xvdb
14 | wireguard_address: 10.0.0.43
15 | wireguard_public_key: PRjfJjtYe8GtihCw2cm+ocWFZpEtVdKC3B1C5AsPC1A=
16 |
--------------------------------------------------------------------------------
/host_vars/losangeles.mirror.pkgbuild.com/misc.yml:
--------------------------------------------------------------------------------
1 | mirror_domain: losangeles.mirror.pkgbuild.com
2 | ipv4_address: 209.209.59.11
3 | ipv4_netmask: /32
4 | ipv4_gateway: 100.100.0.0
5 | ipv6_address: 2a0e:6901:110:95:26a3:f0ff:fe48:999e
6 | ipv6_netmask: /64
7 | ipv6_gateway: fe80::1
8 | ipv6_ignore_ra: true
9 | network_interface: enp3s0
10 | system_disks:
11 | - /dev/vda
12 |
13 | wireguard_address: 10.0.0.50
14 | wireguard_public_key: E4L+960hnziPxdmp5yPLEN/J53tUqy23wg1g+N1+xx0=
15 |
--------------------------------------------------------------------------------
/host_vars/mail.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | mail_domain: "mail.archlinux.org"
2 |
3 | fail2ban_jails:
4 | sshd: true
5 | postfix: true
6 | dovecot: true
7 | nginx_limit_req: false
8 |
9 | ipv4_address: "95.216.189.61"
10 | ipv6_address: "2a01:4f9:c010:3052::1"
11 | wireguard_address: 10.0.0.14
12 | wireguard_public_key: zB4ALQPMOYu8yzGdiDL1AHgowmVZHc2OUJq1igy3Ixo=
13 |
--------------------------------------------------------------------------------
/host_vars/man.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | fail2ban_jails:
2 | sshd: true
3 | postfix: false
4 | dovecot: false
5 | nginx_limit_req: true
6 | wireguard_address: 10.0.0.32
7 | wireguard_public_key: CuhJyhmHsi0ccdeXgXRacqnFVfYrjVDHxfPPOLehkhw=
8 |
--------------------------------------------------------------------------------
/host_vars/matrix.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | static_dns: true
2 | wireguard_address: 10.0.0.15
3 | wireguard_public_key: Oh6gZG9HbchVM6xiYOJQ6JpF6QD7EeRD7Xa6c5fr5CA=
4 |
--------------------------------------------------------------------------------
/host_vars/md.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | wireguard_address: 10.0.0.31
2 | wireguard_public_key: g7VwZ5+sEAaKfMY/322ajv2tAXarJj96u9mhH3SK6no=
3 |
--------------------------------------------------------------------------------
/host_vars/mirror.pkgbuild.com/misc.yml:
--------------------------------------------------------------------------------
1 | mirror_domain: mirror.pkgbuild.com
2 | archweb_mirrorcheck_locations: [20, 21]
3 |
4 | ipv4_address: "78.46.209.220"
5 | ipv4_netmask: "/32"
6 | ipv6_address: "2a01:4f8:c2c:c62f::1"
7 | ipv6_netmask: "/64"
8 | wireguard_address: 10.0.0.12
9 | wireguard_public_key: T15w8Cgri7djo6an/uG/8yr8f5KAsnnKyTgIw4dkr2I=
10 |
--------------------------------------------------------------------------------
/host_vars/monitoring.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | ipv4_address: 95.217.220.31
2 | wireguard_address: 10.0.0.4
3 | wireguard_public_key: h+Zio6WZ+Q2mrC48eLARL+9pKveFh5QM3mckFkfcLSQ=
4 |
--------------------------------------------------------------------------------
/host_vars/monitoring.archlinux.org/vault_monitoring.yml:
--------------------------------------------------------------------------------
1 | $ANSIBLE_VAULT;1.1;AES256
2 | 65363466633864643139656431626664353130343631323739353962636338363734613264336436
3 | 3463613565343462356461313865656132613564346665630a346234333163363837303962626630
4 | 64373736383839353866316633323232666437393131346534666639663462336539646138643934
5 | 3331623662393437610a306462613930613066376338393039646562653961373665343565316362
6 | 34356364663732346532303161353264663765663138666161643665333738646634633862363561
7 | 65366635356263333734346662623363396530376431616162333266653739653336656637316265
8 | 313130663865363366383964326566366661
9 |
--------------------------------------------------------------------------------
/host_vars/mumble.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | ipv4_address: "188.245.228.0"
2 | ipv4_netmask: "/32"
3 | ipv6_address: "2a01:4f8:c012:d0ce::1"
4 | fail2ban_jails:
5 | sshd: true
6 | postfix: false
7 | dovecot: false
8 | nginx_limit_req: false
9 | wireguard_address: 10.0.0.46
10 | wireguard_public_key: BD2cbLkESFRPLy4luZlwEPc45yBFmd1Ti2nSFd1hVBQ=
11 | certbot_dns_support: true
12 | certbot_tsig_name: mumble
13 |
--------------------------------------------------------------------------------
/host_vars/opensearch.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | wireguard_address: 10.0.0.42
2 | wireguard_public_key: CRtFlKdquOb5P62czuhhzA10teUh/iY/xPPEoOj2gFM=
3 |
--------------------------------------------------------------------------------
/host_vars/packer-base-image:
--------------------------------------------------------------------------------
1 | dhcp: true
2 | system_disks:
3 | - /dev/sda
4 |
--------------------------------------------------------------------------------
/host_vars/phrik.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | arch_users:
2 | demize:
3 | name: "Johannes Löthberg"
4 | ssh_key: demize.pub
5 | groups:
6 | - tu
7 | arch_groups: []
8 | wireguard_address: 10.0.0.9
9 | wireguard_public_key: ZDCc0Flid5Fv0fezfioduAyLJzFiPenQTjXFtoFadiM=
10 |
--------------------------------------------------------------------------------
/host_vars/quassel.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | wireguard_address: 10.0.0.10
2 | wireguard_public_key: JkSDACCDONV5Lb+VCyntTVer4VT8Wiif2MQ7+jQg5AY=
3 |
--------------------------------------------------------------------------------
/host_vars/redirect.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | wireguard_address: 10.0.0.25
2 | wireguard_public_key: MOhw0Jk1S526WtcvvMdxHxLRMSSQPkv3AeH09W0wWxo=
3 |
4 | ipv4_address: "95.216.195.133"
5 | ipv6_address: "2a01:4f9:c010:2636::1"
6 |
7 | # The default limit of 65536 is too small to handle ping.archlinux.org traffic
8 | nf_conntrack_max: 262144
9 |
--------------------------------------------------------------------------------
/host_vars/repos.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | ipv4_address: "168.119.141.106"
2 | ipv4_netmask: "/32"
3 | ipv6_address: "2a01:4f8:251:598::"
4 | ipv6_netmask: "/64"
5 | ipv4_gateway: "168.119.141.65"
6 | ipv6_gateway: "fe80::1"
7 | system_disks:
8 | - /dev/nvme0n1
9 | - /dev/nvme1n1
10 | - /dev/nvme2n1
11 | raid_level: "raid1"
12 |
13 | wireguard_address: 10.0.0.45
14 | wireguard_public_key: ZE7fr78hG6eB3Qjhys0n7DxplMBbcWzBGI7DhMvCeDc=
15 |
--------------------------------------------------------------------------------
/host_vars/repro2.pkgbuild.com/misc.yml:
--------------------------------------------------------------------------------
1 | ipv4_address: "212.102.38.209"
2 | ipv4_netmask: "/24"
3 | ipv4_gateway: "212.102.38.222"
4 | ipv6_address: "2a02:6ea0:c238::2"
5 | ipv6_netmask: "/128"
6 | ipv6_gateway: "2a02:6ea0:c238::1337"
7 |
8 | network_interface: "enp65s0f0"
9 |
10 | system_disks:
11 | - /dev/sda
12 | - /dev/sdb
13 | raid_level: "raid1"
14 |
15 | rebuilderd_workers:
16 | - repro21
17 | - repro22
18 | - repro23
19 | - repro24
20 | wireguard_address: 10.0.0.29
21 | wireguard_public_key: L47UZExXfMnoPAtcM3hRxkdsPEdvl+hfAJYtUx64lwc=
22 |
--------------------------------------------------------------------------------
/host_vars/repro3.pkgbuild.com/misc.yml:
--------------------------------------------------------------------------------
1 | ipv4_address: "147.75.84.133"
2 | ipv4_netmask: "/31"
3 | ipv6_address: "2604:1380:4601:7d00::1"
4 | ipv6_netmask: "/127"
5 | ipv4_gateway: "147.75.84.132"
6 | ipv6_gateway: "2604:1380:4601:7d00::"
7 | network_interface: "enp1s0f0np0"
8 | system_disks:
9 | - /dev/sda
10 | configure_network: true
11 |
12 | # there is a big swap partition; avoid zram and rely on zswap instead
13 | enable_zram_swap: false
14 |
15 | rebuilderd_workers:
16 | - repro31
17 | - repro32
18 | wireguard_address: 10.0.0.40
19 | wireguard_public_key: 9rIoEz3NZnprT2CIb/NpRiX6XsUAkgLwIaG3p9IcHlI=
20 |
--------------------------------------------------------------------------------
/host_vars/reproducible.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | zram_fraction: 2.0
2 | wireguard_address: 10.0.0.6
3 | wireguard_public_key: d/emQtrNru4RLGGLc4TUfM3kHZrQZcweW3IGyHKHoUo=
4 |
--------------------------------------------------------------------------------
/host_vars/runner1.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | ipv4_address: "138.199.19.15"
2 | ipv4_netmask: "/25"
3 | ipv4_gateway: "138.199.19.126"
4 | ipv6_address: "2a02:6ea0:c72e::2"
5 | ipv6_netmask: "/64"
6 | ipv6_gateway: "2a02:6ea0:c72e::1337"
7 | ipv6_ignore_ra: true
8 | network_interface: "enp1s0f0"
9 | system_disks:
10 | - /dev/sda
11 | - /dev/sdb
12 | raid_level: "raid1"
13 |
14 | configure_network: true
15 | wireguard_address: 10.0.0.30
16 | wireguard_public_key: HNs19dDeutg4yA2twh9Qw26bfVA1J9Z5rrBYSye0q2k=
17 |
--------------------------------------------------------------------------------
/host_vars/runner3.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | ipv4_address: "86.109.5.205"
2 | ipv4_netmask: "/31"
3 | ipv6_address: "2604:1380:4091:8800::1"
4 | ipv6_netmask: "/127"
5 | ipv4_gateway: "86.109.5.204"
6 | ipv6_gateway: "2604:1380:4091:8800::"
7 | network_interface: "enp2s0f0np0"
8 | system_disks:
9 | - /dev/sda
10 | - /dev/sdb
11 | configure_network: true
12 | wireguard_address: 10.0.0.41
13 | wireguard_public_key: flSHBQWtwvO/OavyFGN4JaO+ezgoi42nCJxComtpPCA=
14 |
--------------------------------------------------------------------------------
/host_vars/runner3.archlinux.org/vault_gitlab_runner.yml:
--------------------------------------------------------------------------------
1 | $ANSIBLE_VAULT;1.1;AES256
2 | 61393764313032383438646564363862656633353666356433303832386530386333356635643534
3 | 6666353235363964316438316530343033663162376532390a353065376333333566303061343137
4 | 63616134323065636462353762353365353138646237316561313538616339666635326365313231
5 | 6330346138353238350a393164323965626230373438373134613462333665336630666263623330
6 | 34393332343836303662616165303037386362373762353138643339343165636661323638373431
7 | 32303232653563663332663736346264386361393761613337333733336136313662333934643935
8 | 393861313965633937356337373032363637
9 |
--------------------------------------------------------------------------------
/host_vars/secure-runner1.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | ipv4_address: "116.202.134.150"
2 | ipv4_netmask: "/32"
3 | ipv6_address: "2a01:4f8:231:4e1e::2"
4 | ipv6_netmask: "/128"
5 | ipv4_gateway: "116.202.134.129"
6 | ipv6_gateway: "fe80::1"
7 | system_disks:
8 | - /dev/nvme0n1
9 | - /dev/nvme1n1
10 | wireguard_address: 10.0.0.8
11 | wireguard_public_key: Ltuc7ESRSuy0fbtl0an7kC6nlpm0GgrDkan+3Cnszng=
12 |
--------------------------------------------------------------------------------
/host_vars/security.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | wireguard_address: 10.0.0.24
2 | wireguard_public_key: 5TMXSk3wbltxbfaBaMcrRmEZ4hfyhDRttlZbfb58U3s=
3 |
4 | fail2ban_jails:
5 | sshd: true
6 | postfix: false
7 | dovecot: false
8 | nginx_limit_req: true
9 |
--------------------------------------------------------------------------------
/host_vars/singapore.mirror.pkgbuild.com/misc.yml:
--------------------------------------------------------------------------------
1 | mirror_domain: singapore.mirror.pkgbuild.com
2 | ipv4_address: 194.156.163.63
3 | ipv4_netmask: /32
4 | ipv4_gateway: 100.100.0.0
5 | ipv6_address: 2407:b9c0:e002:166:26a3:f0ff:fe46:6e9c
6 | ipv6_netmask: /64
7 | ipv6_gateway: fe80::1
8 | ipv6_ignore_ra: true
9 | network_interface: enp3s0
10 | system_disks:
11 | - /dev/vda
12 |
13 | wireguard_address: 10.0.0.51
14 | wireguard_public_key: Kzma6D82LjLZhwj4/7pLS9w660PIHnLob7jqjvBO5y8=
15 |
--------------------------------------------------------------------------------
/host_vars/state.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | wireguard_address: 10.0.0.11
2 | wireguard_public_key: byTCGLgHF4GqCCjmCRHJi/pzyKJKEBAik/ViVrafgzA=
3 |
--------------------------------------------------------------------------------
/host_vars/sydney.mirror.pkgbuild.com/misc.yml:
--------------------------------------------------------------------------------
1 | mirror_domain: "sydney.mirror.pkgbuild.com"
2 | ipv4_address: "147.75.48.159"
3 | ipv4_netmask: "/31"
4 | ipv6_address: "2604:1380:40f1:6a00::1"
5 | ipv6_netmask: "/127"
6 | ipv4_gateway: "147.75.48.158"
7 | ipv6_gateway: "2604:1380:40f1:6a00::"
8 | network_interface: "enp2s0f0np0"
9 | system_disks:
10 | - /dev/sda
11 | - /dev/sdb
12 | configure_network: true
13 | wireguard_address: 10.0.0.39
14 | wireguard_public_key: LxsZN7J4OrPUZgGldHQ0tLzFmXuS65IsCGyEPfCrMWo=
15 |
--------------------------------------------------------------------------------
/host_vars/taipei.mirror.pkgbuild.com/misc.yml:
--------------------------------------------------------------------------------
1 | mirror_domain: taipei.mirror.pkgbuild.com
2 | ipv4_address: 45.150.242.222
3 | ipv4_netmask: /32
4 | ipv4_gateway: 100.100.0.0
5 | ipv6_address: 2407:b9c0:b001:c4:26a3:f0ff:fe46:b1dc
6 | ipv6_netmask: /64
7 | ipv6_gateway: fe80::1
8 | ipv6_ignore_ra: true
9 | network_interface: enp3s0
10 | system_disks:
11 | - /dev/vda
12 |
13 | wireguard_address: 10.0.0.52
14 | wireguard_public_key: 9R3ZurGRt5/DT+ElMXrV89XMEdmJnfKv67shDKY4cXc=
15 |
--------------------------------------------------------------------------------
/host_vars/wiki.archlinux.org/misc.yml:
--------------------------------------------------------------------------------
1 | memcached_socket: "/run/memcached/archwiki.sock"
2 | wireguard_address: 10.0.0.22
3 | wireguard_public_key: +HOjbJivvyeww7Mvej5IOZghZ000AAGxy1qN1eZZajo=
4 | nginx_extra_modules:
5 | - name: geoip2
6 | nginx_enable_http3: true
7 |
--------------------------------------------------------------------------------
/misc/vault-keyring-client.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | readonly vault_password_file_encrypted="$(dirname $0)/vault-$2-password.gpg"
4 |
5 | # flock used to work around "gpg: decryption failed: No secret key" in tf-stage2
6 | # would otherwise need 'auto-expand-secmem' (https://dev.gnupg.org/T3530#106174)
7 | flock "$vault_password_file_encrypted" \
8 | gpg --batch --decrypt --quiet "$vault_password_file_encrypted"
9 |
--------------------------------------------------------------------------------
/one-shots/README.md:
--------------------------------------------------------------------------------
1 | This directory contains a bunch of one-off scripts which might be modified ad-hoc in some ways.
2 |
3 | We keep them around for documentation reasons.
4 |
--------------------------------------------------------------------------------
/one-shots/keycloak-keyfetcher/get_fingerprint.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | curl -s https://accounts.archlinux.org/realms/archlinux/protocol/saml/descriptor | xmllint --xpath '//*[local-name()="X509Certificate"]/text()' - | base64 -d | sha1sum | cut -d ' ' -f1 | sed -e 's/.\{2\}/&:/g' | sed 's/:$//' | tr '[:lower:]' '[:upper:]'
4 |
--------------------------------------------------------------------------------
/playbooks/all-hosts-basic.yml:
--------------------------------------------------------------------------------
1 | - name: Basic setup for all hosts
2 | hosts: all
3 | remote_user: root
4 | roles:
5 | - { role: common }
6 | - { role: firewalld }
7 | - { role: wireguard }
8 | - { role: sshd }
9 | - { role: root_ssh }
10 | - { role: borg_client, tags: ["borg"], when: "'borg_clients' in group_names" }
11 | - { role: hardening }
12 | - { role: fail2ban }
13 |
--------------------------------------------------------------------------------
/playbooks/archive-mirrors.yml:
--------------------------------------------------------------------------------
1 | - name: Common playbook for archive-mirrors
2 | hosts: archive_mirrors
3 | remote_user: root
4 | roles:
5 | - { role: common }
6 | - { role: firewalld }
7 | - { role: wireguard }
8 | - { role: hardening }
9 | - { role: sshd }
10 | - { role: root_ssh }
11 | - { role: certbot }
12 | - { role: nginx }
13 | - { role: mirrorsync }
14 | - { role: archive_web }
15 | - { role: prometheus_exporters }
16 | - { role: promtail }
17 |
--------------------------------------------------------------------------------
/playbooks/archive.archlinux.org.yml:
--------------------------------------------------------------------------------
1 | - name: Setup archive.archlinux.org
2 | hosts: archive.archlinux.org
3 | remote_user: root
4 | vars_files:
5 | - ../misc/vaults/vault_archive.yml
6 | roles:
7 | - { role: common }
8 | - { role: firewalld }
9 | - { role: wireguard }
10 | - { role: sshd }
11 | - { role: root_ssh }
12 | - { role: borg_client, tags: ['borg'] }
13 | - { role: certbot }
14 | - { role: nginx }
15 | - { role: archive }
16 | - { role: archive_web }
17 | - { role: fail2ban }
18 | - { role: prometheus_exporters }
19 | - { role: promtail }
20 |
--------------------------------------------------------------------------------
/playbooks/bugbuddy.archlinux.org.yml:
--------------------------------------------------------------------------------
1 | - name: Setup bugbuddy.archlinux.org
2 | hosts: bugbuddy.archlinux.org
3 | remote_user: root
4 | roles:
5 | - { role: common }
6 | - { role: firewalld }
7 | - { role: wireguard }
8 | - { role: sshd }
9 | - { role: root_ssh }
10 | - { role: prometheus_exporters }
11 | - { role: promtail }
12 | - { role: fail2ban }
13 | - { role: bugbuddy }
14 |
--------------------------------------------------------------------------------
/playbooks/build.archlinux.org.yml:
--------------------------------------------------------------------------------
1 | - name: Setup build.archlinux.org
2 | hosts: build.archlinux.org
3 | remote_user: root
4 | roles:
5 | - { role: common }
6 | - { role: tools, extra_utils: ['setconf', 'plocate'] }
7 | - { role: firewalld }
8 | - { role: sshd }
9 | - { role: root_ssh }
10 | - { role: archusers }
11 | - { role: sudo, tags: ['archusers'] }
12 | - { role: mirrorsync }
13 | - { role: archbuild }
14 | - { role: fail2ban }
15 | - { role: wireguard }
16 | - { role: prometheus_exporters }
17 | - { role: promtail }
18 |
--------------------------------------------------------------------------------
/playbooks/debuginfod.archlinux.org.yml:
--------------------------------------------------------------------------------
1 | - name: Setup debuginfod.archlinux.org
2 | hosts: debuginfod.archlinux.org
3 | remote_user: root
4 | roles:
5 | - { role: common }
6 | - { role: firewalld }
7 | - { role: wireguard }
8 | - { role: hardening }
9 | - { role: sshd }
10 | - { role: root_ssh }
11 | - { role: certbot }
12 | - { role: nginx }
13 | - { role: debuginfod }
14 | - { role: mirrorsync }
15 | - { role: prometheus_exporters }
16 | - { role: promtail }
17 |
--------------------------------------------------------------------------------
/playbooks/gitlab-runners.yml:
--------------------------------------------------------------------------------
1 | - name: Setup gitlab-runners
2 | hosts: gitlab_runners
3 | remote_user: root
4 | roles:
5 | - { role: common }
6 | - { role: firewalld }
7 | - { role: wireguard }
8 | - { role: hardening }
9 | - { role: sshd }
10 | - { role: root_ssh }
11 | - { role: fail2ban }
12 | - { role: prometheus_exporters }
13 | - { role: promtail }
14 | - { role: libvirt, when: "'gitlab_vm_runners' in group_names" }
15 | - { role: gitlab_runner }
16 |
--------------------------------------------------------------------------------
/playbooks/gluebuddy.archlinux.org.yml:
--------------------------------------------------------------------------------
1 | - name: Setup gluebuddy.archlinux.org
2 | hosts: gluebuddy.archlinux.org
3 | remote_user: root
4 | roles:
5 | - { role: common }
6 | - { role: firewalld }
7 | - { role: wireguard }
8 | - { role: sshd }
9 | - { role: root_ssh }
10 | - { role: gluebuddy }
11 | - { role: prometheus_exporters }
12 | - { role: promtail }
13 | - { role: fail2ban }
14 |
--------------------------------------------------------------------------------
/playbooks/homedir.archlinux.org.yml:
--------------------------------------------------------------------------------
1 | - name: Setup homedir.archlinux.org
2 | hosts: homedir.archlinux.org
3 | remote_user: root
4 | roles:
5 | - { role: common }
6 | - { role: tools }
7 | - { role: sshd }
8 | - { role: root_ssh }
9 | - { role: certbot }
10 | - { role: nginx }
11 | - { role: archusers }
12 | - { role: public_html, public_domain: "pkgbuild.com", tags: ['nginx'] }
13 | - { role: borg_client, tags: ["borg"] }
14 | - { role: prometheus_exporters }
15 | - { role: promtail }
16 | - { role: fail2ban }
17 | - { role: wireguard }
18 |
--------------------------------------------------------------------------------
/playbooks/man.archlinux.org.yml:
--------------------------------------------------------------------------------
1 | - name: Setup man.archlinux.org
2 | hosts: man.archlinux.org
3 | remote_user: root
4 | roles:
5 | - { role: firewalld }
6 | - { role: wireguard }
7 | - { role: common }
8 | - { role: sshd }
9 | - { role: root_ssh }
10 | - { role: hardening }
11 | - { role: certbot }
12 | - { role: nginx }
13 | - { role: fail2ban }
14 | - { role: prometheus_exporters }
15 | - { role: promtail }
16 | - { role: postgres }
17 | - { role: uwsgi }
18 | - { role: archmanweb, archmanweb_version: 'v1.14' }
19 |
--------------------------------------------------------------------------------
/playbooks/mumble.archlinux.org.yml:
--------------------------------------------------------------------------------
1 | - name: Setup mumble server
2 | hosts: mumble.archlinux.org
3 | remote_user: root
4 | roles:
5 | - { role: firewalld }
6 | - { role: wireguard }
7 | - { role: hardening }
8 | - { role: common }
9 | - { role: sshd }
10 | - { role: root_ssh }
11 | - { role: borg_client, tags: ["borg"] }
12 | - { role: prometheus_exporters }
13 | - { role: promtail }
14 | - { role: fail2ban }
15 | - { role: certbot }
16 | - { role: mumble_server }
17 |
--------------------------------------------------------------------------------
/playbooks/nvchecker-poc.pkgbuild.com.yml:
--------------------------------------------------------------------------------
1 | - name: Add host to the in-memory inventory
2 | hosts: localhost
3 | gather_facts: false
4 | tasks:
5 | - name: Add nvchecker-poc.pkgbuild.com to the in-memory inventory
6 | add_host:
7 | name: nvchecker-poc.pkgbuild.com
8 | groups: hcloud
9 | tags: always
10 | - name: Setup nvchecker-poc server
11 | hosts: nvchecker-poc.pkgbuild.com
12 | remote_user: root
13 | roles:
14 | - { role: firewalld }
15 | - { role: common }
16 | - { role: sshd }
17 | - { role: root_ssh }
18 |
--------------------------------------------------------------------------------
/playbooks/opensearch.archlinux.org.yml:
--------------------------------------------------------------------------------
1 | - name: Setup opensearch.archlinux.org
2 | hosts: opensearch.archlinux.org
3 | remote_user: root
4 | roles:
5 | - { role: common }
6 | - { role: firewalld }
7 | - { role: wireguard }
8 | - { role: hardening }
9 | - { role: sshd }
10 | - { role: root_ssh }
11 | - { role: prometheus_exporters }
12 | - { role: promtail }
13 | - { role: opensearch }
14 |
--------------------------------------------------------------------------------
/playbooks/phrik.yml:
--------------------------------------------------------------------------------
1 | - name: Setup phrik bot server
2 | hosts: phrik.archlinux.org
3 | remote_user: root
4 | roles:
5 | - { role: common }
6 | - { role: archusers }
7 | - { role: bugbot }
8 | - { role: phrik }
9 | - { role: sshd }
10 | - { role: root_ssh }
11 | - { role: prometheus_exporters }
12 | - { role: promtail }
13 | - { role: wireguard }
14 |
--------------------------------------------------------------------------------
/playbooks/rebuilderd-workers.yml:
--------------------------------------------------------------------------------
1 | - name: Common playbook for rebuilderd_workers
2 | hosts: rebuilderd_workers
3 | remote_user: root
4 | roles:
5 | - { role: common }
6 | - { role: firewalld }
7 | - { role: wireguard }
8 | - { role: sshd }
9 | - { role: root_ssh }
10 | - { role: rebuilderd_worker }
11 | - { role: prometheus_exporters }
12 | - { role: promtail }
13 | - { role: fail2ban }
14 |
--------------------------------------------------------------------------------
/playbooks/redirect.archlinux.org.yml:
--------------------------------------------------------------------------------
1 | - name: Setup redirect.archlinux.org
2 | hosts: redirect.archlinux.org
3 | remote_user: root
4 | roles:
5 | - { role: common }
6 | - { role: firewalld }
7 | - { role: wireguard }
8 | - { role: sshd }
9 | - { role: root_ssh }
10 | - { role: certbot }
11 | - { role: nginx }
12 | - { role: redirects }
13 | - { role: prometheus_exporters }
14 | - { role: promtail }
15 | - { role: hardening }
16 | - { role: ping }
17 | - { role: dyn_dns }
18 |
--------------------------------------------------------------------------------
/playbooks/reproducible.archlinux.org.yml:
--------------------------------------------------------------------------------
1 | - name: Setup reproducible builds rebuilder
2 | hosts: reproducible.archlinux.org
3 | remote_user: root
4 | roles:
5 | - { role: common }
6 | - { role: firewalld }
7 | - { role: wireguard }
8 | - { role: sshd }
9 | - { role: root_ssh }
10 | - { role: borg_client, tags: ["borg"] }
11 | - { role: certbot }
12 | - { role: nginx }
13 | - { role: rebuilderd }
14 | - { role: prometheus_exporters }
15 | - { role: promtail }
16 | - { role: fail2ban }
17 |
--------------------------------------------------------------------------------
/playbooks/rsync.net.yml:
--------------------------------------------------------------------------------
1 | - name: Setup rsync.net account
2 | hosts: localhost
3 | gather_facts: false
4 | vars_files:
5 | - ../misc/vaults/vault_rsync.net.yml
6 | roles:
7 | - role: rsync_net
8 | backup_clients: "{{ groups['borg_clients'] }}"
9 | backup_dir: backup
10 | tags: ["borg"]
11 |
--------------------------------------------------------------------------------
/playbooks/tasks/include/post-upgrade.yml:
--------------------------------------------------------------------------------
1 | - name: Run borg client post-upgrade tasks
2 | include_tasks: include/post-upgrade/borg-clients.yml
3 | when: "'borg_clients' in group_names"
4 |
5 | - name: Check for host-specific post-upgrade tasks
6 | local_action: stat path=include/post-upgrade/{{ inventory_hostname }}.yml
7 | register: post_upgrade_tasks
8 |
9 | - name: Run host-specific post-upgrade tasks
10 | include_tasks: "{{ post_upgrade_tasks.stat.path }}"
11 | when: post_upgrade_tasks.stat.exists
12 |
13 | - name: Reboot
14 | reboot:
15 |
--------------------------------------------------------------------------------
/playbooks/tasks/include/post-upgrade/borg-clients.yml:
--------------------------------------------------------------------------------
1 | - name: Check if /backup exists
2 | stat: path=/backup
3 | register: backup_mountdir
4 |
5 | - name: Abort reboot when borg backup is running
6 | meta: end_host
7 | when: backup_mountdir.stat.exists
8 |
--------------------------------------------------------------------------------
/playbooks/tasks/include/post-upgrade/build.archlinux.org.yml:
--------------------------------------------------------------------------------
1 | - name: List build-related processes
2 | command: pgrep -x 'mkarchroot|makechrootpkg|systemd-nspawn'
3 | register: pgrep
4 | ignore_errors: true
5 |
6 | - name: Abort reboot with running builds
7 | meta: end_host
8 | when: pgrep is succeeded
9 |
--------------------------------------------------------------------------------
/playbooks/tasks/include/post-upgrade/repos.archlinux.org.yml:
--------------------------------------------------------------------------------
1 | - name: List logged on users
2 | command: who
3 | register: who
4 |
5 | - name: Abort reboot with logged on users
6 | meta: end_host
7 | when:
8 | - who is changed
9 | - who.stdout_lines|length > 1
10 |
--------------------------------------------------------------------------------
/playbooks/tasks/include/reencrypt-vault-key.yml:
--------------------------------------------------------------------------------
1 | - name: Check if moreutils is installed
2 | pacman: name=moreutils state=present
3 |
4 | - name: Reencrypt vault {{ vault_id }} key
5 | shell: |
6 | set -eo pipefail
7 | gpg --decrypt --batch --quiet "{{ playbook_dir }}/../../misc/vault-{{ vault_id }}-password.gpg" \
8 | | gpg --batch --armor --encrypt --output - {% for userid in vault_pgpkeys | flatten %}--recipient {{ userid }} {% endfor %} \
9 | | sponge "{{ playbook_dir }}/../../misc/vault-{{ vault_id }}-password.gpg"
10 | changed_when: false
11 |
--------------------------------------------------------------------------------
/playbooks/tasks/include/upgrade-server.yml:
--------------------------------------------------------------------------------
1 | - name: Ensure latest keyring
2 | pacman:
3 | name: archlinux-keyring
4 | state: latest
5 | update_cache: yes
6 |
7 | - name: Upgrade all packages
8 | pacman:
9 | upgrade: yes
10 | register: pacman_upgrade
11 |
12 | - name: Run post-upgrade tasks if packages were upgraded
13 | include_tasks: post-upgrade.yml
14 | when: pacman_upgrade is changed
15 |
--------------------------------------------------------------------------------
/playbooks/tasks/install_arch.yml:
--------------------------------------------------------------------------------
1 | # This script is for provisioning a server for first boot.
2 | # Care: It is not idempotent by design.
3 |
4 | - name: Install arch
5 | hosts: all
6 | remote_user: root
7 | roles:
8 | - install_arch
9 | vars:
10 | bootstrap_version: "latest"
11 |
--------------------------------------------------------------------------------
/playbooks/tasks/reencrypt-vault-default-key.yml:
--------------------------------------------------------------------------------
1 | - name: Reencrypt vault default key
2 | hosts: localhost
3 | tasks:
4 | - name: Reencrypt vault default key
5 | include_tasks: include/reencrypt-vault-key.yml
6 | vars:
7 | vault_id: default
8 | vault_pgpkeys: "{{ vault_default_pgpkeys }}"
9 |
--------------------------------------------------------------------------------
/playbooks/tasks/reencrypt-vault-super-key.yml:
--------------------------------------------------------------------------------
1 | - name: Reencrypt vault super key
2 | hosts: localhost
3 | tasks:
4 | - name: Reencrypt vault super key
5 | include_tasks: include/reencrypt-vault-key.yml
6 | vars:
7 | vault_id: super
8 | vault_pgpkeys: "{{ vault_super_pgpkeys }}"
9 |
--------------------------------------------------------------------------------
/pubkeys/ainola.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4S7RHgA1b1dBefYOEkKPZW0djFDh7FpIb7ocQBDnEw brett
2 |
--------------------------------------------------------------------------------
/pubkeys/alad.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDU77snZ3cyD4JvYjC+6Un5uL8QdIGY2UdkcNnmW3bPS user@enotty
2 |
--------------------------------------------------------------------------------
/pubkeys/alerque.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxwIjCwmzSokqG1rCFL6WyTOGC9ucT0TfxELWOAi9RN/meGNeml74rjRsxQoeTcao4V15WC3/4oe9AKqVfKQyKi7iQ6LQzrT4e39wb94kMRbNbdhs0+wqR3b71typzxkKqrHzOJYuPpAEBfFVAawxzNMsknPmRkVAhw4rVUBAPyK+yfF35iBCjt514XOXJn9eUWdTee4kzhlHW/3rr6bYsAb5lPE0SsVvJ/Y/uIn+7NJpq6rueb3bMvEXXJOK90lqdKwxiwFHFb3p4AXylVxAJlGTvcoGXscwy5Aw3mMsHyjjR10QufT2LCuwq+1t4mlmWqMN78VhPRTr8APLTFzLT caleb@alerque.com
2 |
--------------------------------------------------------------------------------
/pubkeys/alucryd.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjZ4ClAPV1HCWT69/SaEvHR6jfogFa6jj0OA7uDru3x alucryd@archlinux.org
2 |
--------------------------------------------------------------------------------
/pubkeys/anatolik.pub:
--------------------------------------------------------------------------------
1 | ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAAgr/wGsxgRKuYQ4/SbuRoJWX9cthWcRDB/+W6R7WcJ2HXCCH1QxnzfNNA1weMx9bn+MhyJvzNPXtlIWZulT9P+cQAIqvstu2xQvAuJpalsmA64c/9w7r2bL0M2goXcDf8v6G0ZQzUNYu1/4p62UUe+m6Zh81KjxjTjCI5rPck1ir3WRA== anatol-2014-02-16: Arch Trusted User
2 |
--------------------------------------------------------------------------------
/pubkeys/andrewsc.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFnjeqfiMUTPEsDBmNRcM3YIBj7inbjxl5a1v1XAuunl andrew@arrakis
2 |
--------------------------------------------------------------------------------
/pubkeys/andyrtr.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF36srNTJSAE3AQ0Qh9hPKyijkpmmOzf4zUv9LObYx9a andyrtr@workstation64-2015-08-13
2 |
--------------------------------------------------------------------------------
/pubkeys/anonfunc.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6czuMNlMyIczPJqzgHSZBdCunf6QRDY3427BAwTKFu
2 |
--------------------------------------------------------------------------------
/pubkeys/antiz.pub:
--------------------------------------------------------------------------------
1 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG+kMUE9KhMXRG8Njc1JAMFQtNz3quly396hqTyeY3fOaiJazY39VMUXKNks+8UVMY/ANnqa5FVqRzjji9H/BAY= Arch Linux
2 |
--------------------------------------------------------------------------------
/pubkeys/archange.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOpl33KUeExaiEPmaoD4ENBgDfVbXh7CvfKlP1ag++0+ archange@minas-tirith
--------------------------------------------------------------------------------
/pubkeys/arojas.pub:
--------------------------------------------------------------------------------
1 | ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBABp+1zrlaAYyyec13KhoCm8wVNueegiVaDppi1pS8QFq85PImBKnrBzlagiGXI+SVnhkAXkSeM4Fp6we4JZ9zmT3AFhNmzzgz0zNbFFrmkxVyLCH1eTCdDcDGGwMNwA9wn4xQYtnWkgv29rR3pMYIc9GI9er7QQLdqmfUJ2OtSR6D29mg== antonio@arl-portatil-2014-11-07
2 |
--------------------------------------------------------------------------------
/pubkeys/artafinde.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEkKl29v447RLdHNomiQfQhdr66vCzU50vF74C/dh2zO inglor@tiamat
2 |
--------------------------------------------------------------------------------
/pubkeys/bastelfreak.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGTViMkk5xbRev6q787/7PFiNioChM8SGjWvanlIha1Z archlinux TU 2020-11-09
2 |
--------------------------------------------------------------------------------
/pubkeys/bertptrs_ganymede.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDu2R0aiCVDrmZTum5xcqF9JKThwYxS3t7953nu016kR
2 |
--------------------------------------------------------------------------------
/pubkeys/bertptrs_rhea.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDVTtzkvE9YDW7Y6VRAOjEp3J5//PqJg7eZhthyBq56g
2 |
--------------------------------------------------------------------------------
/pubkeys/bgyorgy.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnQanylbbYj1DJrS9BYooJ39mYuCC1wGJDsPqnCxXuO9GOCCN65TH5NoQEklgYv7qPiN1qVIpvLYgBbXbgjqbaPRCddLzgYorrvUQ/d0HXhiauJ/pyZ6BBNypkRFbG/Nf8Wr5E4JSmKRY1agTIEC3G/9WNuo2iFa7h2oRjMuOBMmlbQkWgB0TaZvPA9tJ9M0ftOYwKEpbaPZyC8FlUOWwNdRs+YwNcR6S1BbW/0sndZlOtlWsZQlZYy2ee4RILFzyUIV1jWoQKbcz+IF0WLP1OGQbsweJPz68VlsRbDw7WwV1N6oHnX+J7uJ+8lmLq/n8KI9fWIxm8O91W6bgBqYgX Balló György
2 |
--------------------------------------------------------------------------------
/pubkeys/blakkheim.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDilqpO7lsrLwNYc4D3UELkJaXDW4iFxJ/+ifQ8i9+kH
2 |
--------------------------------------------------------------------------------
/pubkeys/braindamage.pub:
--------------------------------------------------------------------------------
1 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBkGNnjU5ScE51xC2SchPmsEsl8HvKif41wwvuy9flFnvPkL0FLxMCZV2dy5I5vlBozyWPmR6+o3GJjE+SpTQ+Y=
2 |
--------------------------------------------------------------------------------
/pubkeys/carsme.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMMTyny1obngFnyonhlDYO5C7a8+5NFoEAbQ59VtcL/e
2 |
--------------------------------------------------------------------------------
/pubkeys/cbehan.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp45Da2WPrUDMMm1IsAqKTVKWXfY1jH05C2mqFlCdAKfGt8nEsCmTLgN//3Qy4l6vi2QizENFscdNyatun+6xGVz1fHLC71y6mcgrBYJYPxcThvJCAXglnBYW2xtf2Yd2tV/VDGbm6o0i8PD8UbOTikR0iO26nh7RNiMjimZZwHWLoyOzVVPwp5tahNUE9tDnBfJdf0PBAEKQaFtN6K+ffWUpzCE1NIZOm5Bx0ESxe/ZUveMINJ0M0y83kdJphcv8ZaUoRViiphPAFQlq8gS46cbdC6M2llJKpxyHkwiZmPdbY3e8QyIL+8VqLBJge+QRn+pMn8wdjbLfbX8IyjlcEQ== connor@connors-laptop
2 |
--------------------------------------------------------------------------------
/pubkeys/codingkoopa.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCu41h56EI8OEGD3FnlwLxGydynV5Zg/NFyuc/VDoMca+ucLK3fJ2ZPcen5JOYH+/ro7hQbbOwEtR9DxX8CuMVDxBjI0QLHNzTLURjsr7HFh6zp+ZraDYdnIgigNOtveYumznIAU0dTYXPwthi3CQrWJhB4ue5FofROJXEAey97TK7T8binS+1tiFRL0yLYd8sEfsL1sSQJ6g6bnkmW29dcYTClOg8wd1CtFIMESkJ5OdJ8m+THtdLkeMXW6fApczUGm5DbGn/09lM/3/70wf1wpVzjjVLArLVvJqp93B2jihJlTz+KT7ECohbwYMKou+qcpYcCXXhw+kT/TeSHhDU9Ho8mbdqfkE4IdA6x4TQJQKkEJesFU/gdxBEgnhZipqKgztCWIGA7lZ+7yy3ZJh4Q0tjaytK/mn4X+Q0OYw8cX/o4T3xkZn0JcYkYm8/bTxD587KHAFdnAJ56uL7GP6MpkuzFg3vugGRYCZL5zcO/tzI80zFGDthi32wnYViNwy0= koopa@comet-observatory
2 |
--------------------------------------------------------------------------------
/pubkeys/dbermond.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfP72hf+XMF4A0aDMNrVtP+D0gxSsk8zCOt1jlcV4Wr
2 |
--------------------------------------------------------------------------------
/pubkeys/demize.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP/yrh6/7IFBCrGkIByw1ruYDdJFCOk8p1tIaLTs3M7P kyrias@zorg.kyriasis.com
2 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIHU6QpZkcnicveoF7UjfhaEH93YmgrVLV6v7mXbjkJ kyrias@hydrogen.kyriasis.com
3 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFLvTgPj2yZwStuDVPicIrLZ18Hjh9TtXWKhgFboDoW kyrias@flourine
4 |
--------------------------------------------------------------------------------
/pubkeys/denisse.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKo2Uddwkt9dx+V4UO9AnP0RIKqkfqOEx1osQszQpzK1 andrea@youdu
2 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGTMR5HHwFsKQWlvAk4UGhYxiB15dHY5pPoVufBSPNDF andrea@diyu
3 |
--------------------------------------------------------------------------------
/pubkeys/det87.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2rSFjvhbC7FTSKhn7poOeYeztMTDl5q51jnTmnRCwPmkE8MHxO0EVHxS6bn55fhWg195W82k3/H3wWCn69POGuC0dp1lSiQcW7MO2tk+tNnUhQa0HVHxAhzMmL1uP2eTXVa7UK3tRItF1ZZK2bG1WfpQNdqO2Xe5P6qLFqTBhn+uKOAG88hw5zg+f2ernGPvGeDVXFrJ77yyYMsrPdoUARLvBS7Kmww9T98CUm8yNa6q13mFoo0P0OTyLDyj47u9ADKNZu7LyicKst4QAbYh7rZZDq5zYe4u+lkXuEoQopHQEyIU/mvXxx/cp567Ko0HpmXYeupAh6OXVvbWTwXbATD8zNLw4uFo403BzIjlzVNfpAhMQcC6n+2cdjzQEN8MLrRln/T7rnfLpm5P5G8RjKVbR7YT8s7PFABY2vl+50XBC+DBon5ax2DQXcpARWuBmHMGvVE42QZW4YLHJH/1T/kOthRFi+vZpkvNrWQZMy4TDxFBFnExc4JDewuIF4i8=
2 |
--------------------------------------------------------------------------------
/pubkeys/dvzrv.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGqlGt8LVYWzSoewv4Gf7W07BdRuj+3vApq+9Wdvvti openpgp:0xB551DFD6
2 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTjZNraF2KN/whbJKX7GQ/b5YzQYUVsrzhY/XVFhHaK openpgp:0xD6B976F5
3 |
--------------------------------------------------------------------------------
/pubkeys/eworm.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE8PfruWojtVuYisJ62Qq8LiyD3nccg7RF8oc33OcN8A eworm@leda
2 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKuem6MNhbEE5VFWf31vcpIqGx/0vInIk7sCsHZVugJT eworm@elara
3 |
--------------------------------------------------------------------------------
/pubkeys/fabiscafe.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqLl2rJxwcz08zEXnHuz3I3emoZTwbZtuOUx5rh4Z1G fabiscafe
2 |
--------------------------------------------------------------------------------
/pubkeys/faidoc.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCopoB+g/WSsUmItaqxcAZMWbH54PTkJQUYdP0WkYGShsOmQtcLvQ89zd/SNxRnZOe94xUaLmUTdTnvVl8ipkrC1c/NlngqJumBeMMIXUrmRLeRn6ClornSqzbmtTB8kd/9rs2GkSCyj05kTjVs9h6s/Ea5y+faRlL7FQtMwSg35B2sexHUxBTjiqveip4loP1aQUIBxKnG8AosI10URT4ea61Vf4j4QJrzOMKfhqkcXLkudRA/3Z5mZwPNRI+LxAWjE0etY+yDKA8pN/oA0lpb/7YM0LQ0D3DPuITc/efYRzWV55vS5Zo17PgDM5PJ7kgoRYeUoOPJoc2wvCLxT27X Arch Linux
2 |
--------------------------------------------------------------------------------
/pubkeys/felixonmars.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsHFZD9AQu8OQ6vcWmsAreio6uOEEmPEX8qg0M4lQLfJFlvqgp1vWPs+wrGNrXjKYqd9EJ1UO6O+fAun9S82FpgsiNwr+amM1d0TdUm2WP2Bni1ZuMA/GV1DOFEvKcbOtaDNBfiZQ90wBLn0X92gNoKPszXKM0FapBhkVT4YX+Zd6sZVrNEmMcOy7PSBGRNpOHi8iM85jTPWz/1HPEGOnKwd9Uhdpj86fbxl77rkdjFNgBUqWwVOzrDDnh8R38NhzdXcVsuYWKfgrAf3DMiQrhtYj9qiSeWoYpg/zuXiAHeXDMVCcgirqMbEN51Fwzv/P/s8dlAa7t4hiwD/LrrYGx felix@felix-arch
2 |
--------------------------------------------------------------------------------
/pubkeys/flyingpig.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDrqWxj2kFfta51IWxycGqodKQc0hHwY14PaTFDKD4YWOuhf1P/xf3q6cTn+m77qauF4vPbj5AAlDM74vn6HobnBS87f6wIWgll/i+m9cbGXnDJeVY7ELmlYnxR/dQozOrg8khteqmgsAhoGxz/f9KWLtAbmD4XWYm1VeXrwY6e5gf1DA2U1AWKuesakBha4wzD0RU6oiyUbrYGMUQAwQsDjv9Ew/a3Lz+xlyRXTssnSXJ8wJ/MUQo/tKkB0DZqWwTXWHtd2vMYNAvsNkIIgkQxKHHeq4qVurgWNthNEw6FmPpqrlIax931RcdJ1cGHclivAW/HWjmA0GZmz3NicL1FyVnY6Qz1VFFsH2VaJSlI7+Zhsn8h9ZOgyu6urrJJq9gdsAnZ8qalhKaWLW/tYMRt4b4BIYLPMSbHGNCaybwLPnL0p+E0cbAlP0cyd0tfMQwSSBDmRmUxuBzJzbzc0BzjL80eMYu47S8ORSNdf/mVi7pnxKY5too2efV5k2PtoQM=
2 |
--------------------------------------------------------------------------------
/pubkeys/foutrelis.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLhf2O1fEAS+YrOygDn19fskZONYb78V1Nd/y5hVVLw foutrelis@foutbox
2 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID0Eh1IQQ7bxonYkk12y6sbjtfLK+O1wdKHzmpbXRM0b foutrelis@notbad
3 |
--------------------------------------------------------------------------------
/pubkeys/foutrelis_buildhost.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHcxhpCKW/gjjR1fp9F82OByA+GStvOF8krBoZ7pv+B foutrelis@gemini.archlinux.org
2 |
--------------------------------------------------------------------------------
/pubkeys/foxboron.pub:
--------------------------------------------------------------------------------
1 | ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFz2DI1wqW6NeIaQAlgxK6rpjv/yBhentOu12jdKhMFI1VosovoX0biklcOF51tejyFFwwK1R3IAtRyoniceR1mhgDHMs51wnOln0RjR1UQ22viOkcJnXwU1b7XDnhoVhXWXbGZDsj+C1rzTce1txm5c/26YK8C7bLg7FBNf8JbGhUn+g== Arch Linux
--------------------------------------------------------------------------------
/pubkeys/freswa.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7TikGFhV6InuIVUMgvz4+iisCGhScHWgtvH1+zqkIO freswa
2 |
--------------------------------------------------------------------------------
/pubkeys/grawlinson.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPOryN/O00KIbBFQg5nWNO+/rx+JbZHe1pKwmLQ4hb+V grawlinson
2 |
--------------------------------------------------------------------------------
/pubkeys/grazzolini.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBH3gOBMNxBunNO/+XET9JM390/ZkogIB0oWoCf2s3Ib
2 |
--------------------------------------------------------------------------------
/pubkeys/hashworks.pub:
--------------------------------------------------------------------------------
1 | sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBDGzbP1z+hTV1wOOFjVfQNCLTHmouswv4N8aBb1Jw9TOAmbNs/3LSvwy/Zo6jNL7+OS9tkPtr+nAdL03reDqYJEAAAAEc3NoOg== hashworks@yubikey-5c@2021-03-21
2 |
--------------------------------------------------------------------------------
/pubkeys/hashworks_yubikey_5_nfc.pub:
--------------------------------------------------------------------------------
1 | sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBO5oIvnZWTBpP/Kzi8H3QTkhQgPP8uYQUJrSHwhsUWNp1AygiwmeGtB1rjysqwUN0kH7A24HUCHAizq/mFHfvGMAAAAEc3NoOg== hashworks@yubikey-5nfc@2020-02-17
2 |
--------------------------------------------------------------------------------
/pubkeys/heftig_build.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF+MYF/ybW30hh8QB0ktXdUx/OqLUTrU2ohsFnvZOwti heftig@dragon
2 |
--------------------------------------------------------------------------------
/pubkeys/heftig_nitrokey.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJLyG2MHXtzhaqAMukDjvQT8BTQpZfLYEOogJkDJDo7V cardno:000F_8991A69D
2 |
--------------------------------------------------------------------------------
/pubkeys/heftig_yubikey.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGNbRKSVPySqXMjiyxYXhhusHw7a1pokxZ2paLiEQ7Ex cardno:13_062_363
2 |
--------------------------------------------------------------------------------
/pubkeys/integral.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCt+EXage7zhr7ssm0kgJp6Wj1IrBxHufDdUtxUDedKHUpk6d30b0eILKoBziB7HAosSHSWwdojIcVA1AIW8hegjr0XnlJa09p9QKBfLAwDb1xyQibeFJr6xXgqCswEOQl4ftvlT0i/R98MD1F3bpQfU5NAI2KAJT0jMFs6Lp6ycW5tm5JIKazJwEqTLlRZVGqIQEr8cN6OvxOXqgO+DTH/IXuxKwc5cgnVZIBIAEKalqkPHHulx0Hr1TlkUGO55r4wPGCWMKWjhoRKmZ4Jj0NR/eNgavr+V8IsC5YVP4OZHJhtr7EJL/aQXfL9mkf/i1MKbJ72CyI01pqpP3tsC1m78z92bOH055q3UA6g/hKkrB5rMCS1n1oG+l/mE/CSNI2Sgqir9lj5y8d9GGKLrdXvPZ3XgVVV1kwFBaMjMBi5ljE6zq2b24eTi4VBMUhtjDikMke/PCyHhWzgl9R03KPEnPwSiMJ3HvadyvgQUTfLmPanogDQzUMshKqcSGhRec= integral@IntegralPC
2 |
--------------------------------------------------------------------------------
/pubkeys/jelle.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHnfV8DZ3B/ffqQY0ILUbkTgeorY1qwHpF8aZwLGp8E8 jelle@lithium
2 |
--------------------------------------------------------------------------------
/pubkeys/jlichtblau.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAraESI6YDbjfio9hnB8yR3Nz4OoHTYvLOsmlr0BEIbdUmSyDMr6TKnLgf3PPAfuJU0HnvHvGGecz/2VwGS65JkYQ1Ywmqws6CHr7l7UEAYTqGsUY8EafW+QuJH8dFeLZAz/LaQIntb/VUKYFVzxSDbg28h83ACRHGbhdawfEsY7lTVFgiUtXX8rpaocGvJCyCYIuPVi5BQta6NICWp1xicKtt8LAts0aVqTOZJkuDHwNUGg35OhPRD5j6VvFVADGX4xpricCzpQMIIdukpPGK4EKQi3izZ74H7CK6B5MLU6OGpFtsBbJp150s3gAfbBnMjPdVv7IQHJfpla7o7sDiuw== dragonlord@trinity
2 |
--------------------------------------------------------------------------------
/pubkeys/jouke.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/uFoME6wycl4NLu7kI7A7dLlP5aE6O6Bhz+FP7MYp7VkPgc2k3CPFzikgxDYVRtawQwdc30iAWMajHDMSXshIW+FS603KdDHWwiYDQtFf4kjW1obAnXB6I70bcIVBmsZgCXRPBjLQ2EGMovzI0cfElq1A9vJ9pMz7VGFnFM2lExI1qk7EXurFvxcGzZrUCuISHw/C2FvuH4Ohqao696mwXvGr4LQp7uO4u/UoaSLlCjuuLp5OZG+kETHX6CA/D2ap0VivE4abU/Wm4ydSKAhLITBYfPs7x4GzhTWXTCX+cTkgG/59i1wRw1fu+JE3ZcltH3Y/pYUDavMjgG3wtbOv j.witteveen@gmail.com
2 |
--------------------------------------------------------------------------------
/pubkeys/kewl.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJbGR2qFkSoPaXLjOzkgLu0ml1E5GvQ0e3mSZRxpfAZ
2 |
--------------------------------------------------------------------------------
/pubkeys/kpcyrd.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICwAYf2IPBbqjeQR2b41hbcQSgYsBPquJpdfkbLpt8n3
2 |
--------------------------------------------------------------------------------
/pubkeys/lahwaacz.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPAJokquWeVyMNd7am5gtJhwoVUHNtm/ydLiOjKKQTG lahwaacz@archlinux
2 |
--------------------------------------------------------------------------------
/pubkeys/lcarlier.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpnmIQCYKJx58JTmhSuszZDfrlLhQZe1V7Ri9hrxdS2vypDAYkkyzJfxG8yrJTz3DxDjYfQgOuuRb07M+Kcha/t49pX95591w14m3PaPpJZHnfTJnNTSEJN1opsZ2Go9hdGL/t4FRoKbW07qRhOyyosH5cmUIk4UJpqO+OzuDzX11jXcYabYdkrIFuQ6Hf1A9nhPWETQc5FBp3RXmX7bh324eZJuGzzzjZy5H849vcTvz4OmMBAT5tkLXj0BSW2b5a4e2pVbDASJLFm2as2dmpBaD9HvTcYsKS5w8wAehuVkB+TNi0QOkbYUq8d5QzDd2m2CAuw+U5lIRH/v/pywGf lordheavym@gmail.com
2 |
--------------------------------------------------------------------------------
/pubkeys/lfleischer.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDblx+Y+q2JsVwMTjLUvdK7pc6xvfhrjJN81SqyPWs4A84aIeZVEg9gxGPTOVxflVDUOH52Co0cE2oE4mkC2kpp8o5D9t/0UjMIuxP2rwkjIhp1rF2b77cZhLZq0q3vlu3U9gK8XdQdIwqo2gBpPyYqHQgXAadYL5K4tcQuGfmpdYkqGlscX4CwSj+u61M7SG/y7WEpZI1QvECVuMGSn/2aTQ9K04j9EZZ+Ns4muaPBBBJzmtanDNabhJngIVEmVmJNT859hBBPzapzEqYi0Ghf1mEH8PiF2BtygcN5jvbAgd8drdEqpzawSB3Zd3SykCS8mTb866QxxzgqrHuWaizZ cryptocrack@blizzard
2 |
--------------------------------------------------------------------------------
/pubkeys/mh4ckt3mh4ckt1c4s.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGgaVld+jMegw7pgl7UeS4+k3u7qRM+aYxwG4pSa3lpP
2 |
--------------------------------------------------------------------------------
/pubkeys/morganamilo.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+p6ekAgZMyAgCY2AioanFPPkMltad9uGUrvSJ/68LkeAlMHP6U9Q8XjPhmDoJGO8nwN8p1eZ93aTF/vmpOeSq/o4oxOsCp7surcYihb/G30PhSnBligQZ7lNqwV6iNQcbv5QmtQJC5dtpfE7/3nxe4aO5CSw/faBl15xZx2gMX9QReQEXhdOPq/4XJJgczaZF9igr/Rb7g0fXliXCFTpyBkDznIDcx+CPmITUnq9DUhvmC5dDGKdzEH6J2/EZT6d4BDzCpjduXT/MPewlmrDvVjT7sF+n/5h19XiQ9AL4ictXFGWfuXqFO6+4iQteMumw7yQ/uJ3Gji2G/+dUi6xds03ss/rqLnJKscaXQQVXs9eL4qrq61yYsQCxGp6LK2CZ0vAboOEc3Wen3SuWpaikSnz2ELr1diq03HoJTqYSWDNEp0iYIbgHu0PZFbJGh0K0krkG3a6RXzxIVWxfE+gcdCPa+uqD1yrsQsoDU+W9faHmkP7ViMIW6k8np+2jn+8= morganamilo@Octavia
2 |
--------------------------------------------------------------------------------
/pubkeys/moson.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsKcvBlYwEmJN5Ea04p0p4Ut6iXjXjPwCmTELG7837l
--------------------------------------------------------------------------------
/pubkeys/muflone.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCos82hq78GpWjddGmEGYrjnPkQpvrHHwUvpp2gyC13V7vjEknoDFKi3gCj/S1xCfZMV+BtXXdCIdyWcYECuBP6U75iLhDL7xC0xXXnr6eYN67bYbWuzWh3UyyjrQyVqKVdpABrLoG8LVj4AloqaJlHf0yNqIPrkooZIq0dVdPbcqs/fQGpZJoejSfIJPMpck261zgV+06u6e3eefa53ulvj5089ACzJZX3cCPkUB3pAA1aadAQ8H2CojQVeRdMK3Tu2pQdwr9VEAVb0JNpMBQOOoXhRJTRe+TkzYxQIIs0eDIyRDvr+n5w8bPkIJJZfJgcyXLDGtByVJVBK4bn/x2l Muflone per Arch Linux
--------------------------------------------------------------------------------
/pubkeys/neitsab.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVOCWR4UkN01X4UaAobPMBtfdbFsW/M7F0fEeOe1SYG
2 |
--------------------------------------------------------------------------------
/pubkeys/pitastrudl.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGH+YMFHiCOdoSEhd9kwEYWwpyw3j67NhtIBxIU0Qrh7
--------------------------------------------------------------------------------
/pubkeys/polyzen.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILjH253/8z/KxzdQn94+UJyrBibQDgWqdGCi7dvqfToB
2 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBVHGjgJL7+Ks/eKwxwq8YOjDUnBP2zK4q9Hth96uERF
3 |
--------------------------------------------------------------------------------
/pubkeys/ptr1337.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFddUjybICoqvz3BfNeunxLytpsxBd2k63knI7kMSEdP admin@ptr1337.dev
2 |
--------------------------------------------------------------------------------
/pubkeys/raffomania.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtKqRI7os84fG64ALYWDolAu8tmyiAU8zmBCbqC6dKg rafael@rafa.ee
2 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6S9A4SubbkpqhUygYg1zOUQdXuIriphNfmcvxR7x51 rafael@sage
3 |
--------------------------------------------------------------------------------
/pubkeys/rgacogne.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQmB8armNXIwtSxQuDGNkg4bt1Jokqcb5uV45loTwin
2 |
--------------------------------------------------------------------------------
/pubkeys/sangy.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw5hvCiB+vBGJkofYOVjHSctB03UaDtn5Rn48HBz1h+/7eu1p2Fs++zHEmK4GqdUjuEPfG6v0mp0JeJdqQ/3A/+L9/KvBRwfcEEBqYDNdzVkygypCkL8i6g1ArMBshAXi7Stlf4xBkC9LeMwOVY+aIzJbRB85uMAW7EPW2kRYqmfizAFKoNH1d5eTb9hripQ+bbhfk0zornZBncFBsYUwJTcPdXsZSKN3Gh/viFF6q7emenIbaS2jPxtaMqIgL8abnnXtV2MEOISarubmc9afXfNJ2y1+S+IfIL4PktdbOiOcIxGLYH2r9Bk/J2aU4azxmH8dbXUvrw0hLm28bGkVH torresariass@gmail.com
2 |
--------------------------------------------------------------------------------
/pubkeys/seblu.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLR8jNAXVfUTY1Z7jJn3KfFgvIMn5xeYozo6cyLNjYm seblu2019
2 |
--------------------------------------------------------------------------------
/pubkeys/segaja.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDg/YAG+pZygEqKIOhmCRLnbDXcdP8Pm3KkoB6GuBXlenQKLq2Vw17jfcQayL6qOpNB8ODYMkVPPLJjEIIzqXKhf2yados6+v/QvV1eqcXK3EpceoyeW2DP81N76eOgjbMypXskkrGJ398qq4zg2lnU1vkEhxxGop0+KW+CqgfC6p+gg+g3+COYhIH8bRKgXwrxZhdPpe9ErWEDKrBpLrzbLQuw7YW+FwXYn3e3GyntiUfEiJL9Wn6q6p/tbuFMMBxc4iAKqDtBAowwlKfMvqKraAHD0XwCS/+P5iNzqLqUkRBlAKtWnZQCwaLVkYjHpxf7b4Nbxm9R9bCq4lM4W1Gn5OYdVhU6MzraKO75fX9U+ECasshGLhP8eiPhWP4XUL3rSrHMXodTn/ehS/2hD7vRXcaEbVpqI8XxJ2Xj1JsNj2DzwdLZBHaQtdcOUH1Va/abI2N6b827ZW1FIkKhFnC7javTNcTBVhDqI5U9Iwppp4nIgZKLOXZoEvACJa0hwps= segaja@segabox
2 |
--------------------------------------------------------------------------------
/pubkeys/serebit.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDF32tlSDr0Ze6owld0p8LCwFT4ttwy99qfDERX/Ntlqobtr9AsZx4FMHToLwhehJuhpj3hzmlmHtRyqF1HnTd6Jrxk8jTmqYej7QpOIZSEmkYwUZK8optnWFIQ/Ce+t5InkJG/FoexXTXEOCegVdZmCyS7Rxr2Nt6v9EDAhYXb9strKROVYy0G5rNisu9aLPqTLEcpbHWnOwHjFuIzivsCq7klqiYYjNruFtH53QEHRKWJhwrrW1AHGQQz3N3nZ/9bV/CvOfC4OZw5CQB4ewDEnYOoMwsQBhlflY2gNDqwcFlC42XIVe+ZD/vL0XNtK+2EK0wmihwEyhieZ8CmoOl/PLxdez9Ipc+Bu5yVDqkIAl4F58Ct55l+21aRVeQEoCxR/3+TJQicwHIurpCftL/g0WF16qnrJ1kcZwSyUi1UO0krBeczrkpjz2gG+Cf/NunLYCn5aXDJ+fJ8QOP8JrG9zQfLMsXiszZv4ICxI5iQDOCAz6r3cHtZCThJJy53FQc=
2 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQbrGHhGkoYLlQjUb+r909i28NXL24zbf7o8zWM/9B3 serebit@hawking
3 |
--------------------------------------------------------------------------------
/pubkeys/skydiver.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILaXkI5ykpjrMYh6VEcj92M6PV1dAMuyZhHcHFCrqqtd
2 |
--------------------------------------------------------------------------------
/pubkeys/speps.pub:
--------------------------------------------------------------------------------
1 | ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADJwgQ2L7LxH5Vn0Nu6owS6BdnzMZKVTwm/3aPMa8bFF3gOpFRmvZDOrQKq0L5wLqx6YV7hw+whWd9X9INR9KPGqQDd8aQPad2q+M8h6uTxIzrYL5fl+vV/+hK9cmF+k7+dGQ3g/VaEH8AH57dLn0WB67VAGkmteh5CA7QuEBjtd7gCIA== speps@archlinux-2012-05-10
--------------------------------------------------------------------------------
/pubkeys/strit.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCz3y1rl9ZwCk3l3pk3HDk9oYs5hxKR/J4Th9Dnx+ifJ+91vfAjoOlCALc5Mi8GcbVWlK91tuvJamsIHk3p+9lqHJe22XU/BpDzrNQRi9yAndbQKwgx9nFKUp69zZ8nhBRcOxVfvICEVsoDcvjh9upY2vMvHiIntlXHLQ7gkArh94JhX9E9jlZ8vQANmxdN486jDI0+UWBXL7tRWiZwJna5VIYo6kT6OzQKah5swrXGKqZxdVKE56Lr/cXIB7E/tTsSK79/Dx9Vy2dVwIagY91VPmFMuHmfDMGt9aBSBJJHLwXMMWiD9V+TcaoGmJWBgpJXX/dvcQWa6XhaopiQ/vj strit@strit-pc
2 |
--------------------------------------------------------------------------------
/pubkeys/svartkanin.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPt4p0p5ZKvAD3tX4+nbEKEG00tUazs5I5vpIoG92qTF dan@nazgul
2 |
--------------------------------------------------------------------------------
/pubkeys/svenstaro.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINe8T2egyISKwkJeeqzARDiYL4f7NG2FNbK47KaxBio1 arch
2 |
--------------------------------------------------------------------------------
/pubkeys/tpowa.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDA73KiKZuxRzYk1/XizAjHl1VKY/+QAOb22LwX6RDlkrSYffWjlMYG5e9O77L6bzc2S5OeaoaCTHd6g71Pc45wQrElwDfCQfYOL5Gkcf4zXMCyEDNGtf8Ifg3CwIF4Uf13602uVKULsvJnSbeZBEwWPotFelU/lfIZhRzFqYxlIN3NY7F5kRrJogarfBRA4OYNss780U9Ce2DRA4ravkOsWjzfphp1ck2z1yuOmbryVEHYyoQPzv9/5QqH0elx7ZS0Zq6l+P/yZSS/7WHswM+DHZbiGGTurCDSlIjBNyvXMuL/z+ZXQuqHlsFFkRWtzjMFeg83/QY+IshnSLx0Wi3 tobias@Wohnung
--------------------------------------------------------------------------------
/pubkeys/wahrwolf.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzOk/fE5KqyFmN1DhRtgMwhGhGd/P5Mu36jSopJniuaRRjlXob1zIdulO31Ofjh3BOQ1R2zuAPxp0ub2cHTqsOLWDGQeD+YYnVrIK7ubFg7dBGqxPGagNsDu5lc18OD9Yn0hBNSohROPKa/ixFfLrBsZQS74BtAp1IgJPHBJ+5nq9jbEKiIdzu26a26z5lhOIb4uUscPiaT6yoLOHV6oT23xHhkoUU6Ek8DlteO44pqOJGeGnB11w4yp0lzYZxrA6Wq6LmjXzuuD+d7RAECFaB7cC4b+uGc9BL44qasla+9hAZfRPG8qfHlz4pp2/avYFOhqD4Z69yjVO9u8gym3N+KX6SPTwSOsT2zNoEUru8y/W8dp3BR94AocLaGEjC2ktOL58xCODGS+sLSFfqMWsvZLPLg5qFTAZ6b+7taiUuA0GB3XdJPwyrHEYfi7Pc6n9ehPe7wCtF4ohue2uiaWsdEMGAHR7ybsVxdl5mzM51yx/qjuFWKdY4d142UC5VXWE= wahrwolf@wolfstation
2 |
--------------------------------------------------------------------------------
/pubkeys/wiktor.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILHCXBJYlPPkrt2WYyP3SZoMx43lDBB5QALjE762EQlc
2 |
--------------------------------------------------------------------------------
/pubkeys/yan12125.pub:
--------------------------------------------------------------------------------
1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJYAu+0cvpme3BH/Be7rcvXkSklP2KoKF566o42djLtx id_ed25519-gitlab
--------------------------------------------------------------------------------
/roles/alertmanager/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Reload alertmanager
2 | service: name=alertmanager state=reloaded
3 |
--------------------------------------------------------------------------------
/roles/alertmanager/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Install alertmanager server
2 | pacman: name=alertmanager state=present
3 |
4 | - name: Install alertmanager configuration
5 | template: src=alertmanager.yml.j2 dest=/etc/alertmanager/alertmanager.yml owner=root group=alertmanager mode=640
6 | notify: Reload alertmanager
7 |
8 | - name: Start and enable alertmanager server service
9 | systemd_service: name=alertmanager enabled=yes daemon_reload=yes state=started
10 |
--------------------------------------------------------------------------------
/roles/arch_images_sync/files/arch-images-sync.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Sync arch-images releases
3 |
4 | [Service]
5 | Type=oneshot
6 | ExecStart=/usr/local/bin/arch-images-sync.sh boxes wsl
7 | ProtectSystem=strict
8 | PrivateTmp=true
9 | ReadWritePaths=/srv/ftp/lastupdate /srv/ftp/images /srv/ftp/wsl
10 |
--------------------------------------------------------------------------------
/roles/arch_images_sync/files/arch-images-sync.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Sync arch-images releases hourly
3 |
4 | [Timer]
5 | OnCalendar=hourly
6 | RandomizedDelaySec=1h
7 | Persistent=true
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/archbuild/defaults/main.yml:
--------------------------------------------------------------------------------
1 | archbuild_fs: tmpfs
2 |
--------------------------------------------------------------------------------
/roles/archbuild/files/clean-chroots.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Clean up old chroots
3 | After=var-lib-archbuild.mount
4 |
5 | [Service]
6 | Type=oneshot
7 | ExecStart=/usr/local/bin/clean-chroots
8 | Nice=19
9 | IOSchedulingClass=best-effort
10 | IOSchedulingPriority=7
11 |
--------------------------------------------------------------------------------
/roles/archbuild/files/clean-chroots.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Hourly chroot cleanup
3 |
4 | [Timer]
5 | OnCalendar=hourly
6 | AccuracySec=1h
7 | Persistent=true
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/archbuild/files/clean-dests.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Clean up old dests
3 | RequiresMountsFor=/var/lib/archbuilddest
4 |
5 | [Service]
6 | Type=oneshot
7 | ExecStart=/usr/local/bin/clean-dests
8 | Nice=19
9 | IOSchedulingClass=best-effort
10 | IOSchedulingPriority=7
11 |
--------------------------------------------------------------------------------
/roles/archbuild/files/clean-dests.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Daily dest cleanup
3 |
4 | [Timer]
5 | OnCalendar=daily
6 | AccuracySec=24h
7 | Persistent=true
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/archbuild/files/clean-offload-build:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | set -eu
4 | shopt -s nullglob
5 |
6 | for offload_build_cache in /home/*/.cache/offload-build; do
7 | find "$offload_build_cache" -mindepth 1 -maxdepth 1 -type d -mtime +15 -exec rm -rf {} +
8 | done
9 |
--------------------------------------------------------------------------------
/roles/archbuild/files/clean-offload-build.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Clean up offload-build artifacts
3 | After=var-lib-archbuild.mount
4 |
5 | [Service]
6 | Type=oneshot
7 | ExecStart=/usr/local/bin/clean-offload-build
8 | Nice=19
9 | IOSchedulingClass=best-effort
10 | IOSchedulingPriority=7
11 |
--------------------------------------------------------------------------------
/roles/archbuild/files/clean-offload-build.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Daily offload-build artifacts cleanup
3 |
4 | [Timer]
5 | OnCalendar=daily
6 | RandomizedDelaySec=1d
7 | Persistent=true
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/archbuild/files/devtools-override_arch-nspawn-.scope.conf:
--------------------------------------------------------------------------------
1 | [Scope]
2 | CPUWeight=100
3 | IOWeight=100
4 |
--------------------------------------------------------------------------------
/roles/archbuild/files/devtools-override_devtools.slice.conf:
--------------------------------------------------------------------------------
1 | [Slice]
2 | CPUWeight=20
3 | IOWeight=20
4 | ManagedOOMMemoryPressure=kill
5 | ManagedOOMMemoryPressureLimit=60%
6 |
--------------------------------------------------------------------------------
/roles/archbuild/files/devtools-override_user-.slice.conf:
--------------------------------------------------------------------------------
1 | [Slice]
2 | CPUWeight=100
3 | IOWeight=100
4 |
--------------------------------------------------------------------------------
/roles/archbuild/files/gitconfig:
--------------------------------------------------------------------------------
1 | # vim:set ft=gitconfig noet sw=0 sts=-1:
2 |
3 | [safe]
4 | directory = *
5 |
--------------------------------------------------------------------------------
/roles/archbuild/files/mkpkg@.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Build of %I
3 | RequiresMountsFor=/var/lib/archbuild
4 |
5 | [Service]
6 | Type=oneshot
7 | ExecStart=/usr/local/bin/mkpkg %I
8 | CPUSchedulingPolicy=batch
9 |
--------------------------------------------------------------------------------
/roles/archbuild/files/mkpkg@.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Nightly build of %I
3 |
4 | [Timer]
5 | OnCalendar=00:00
6 | RandomizedDelaySec=8h
7 |
8 | [Install]
9 | WantedBy=timers.target
10 |
--------------------------------------------------------------------------------
/roles/archbuild/files/strictatime@.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=strictatime for %f
3 | DefaultDependencies=no
4 | After=local-fs.target %i.mount
5 | Before=sysinit.target
6 | AssertPathIsMountPoint=%f
7 |
8 | [Service]
9 | Type=oneshot
10 | ExecStart=/usr/bin/mount -o remount,lazytime,strictatime %f
11 |
12 | [Install]
13 | WantedBy=local-fs.target
14 |
--------------------------------------------------------------------------------
/roles/archbuild/files/var-lib-archbuild.mount:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Build chroots
3 |
4 | [Mount]
5 | What=tmpfs
6 | Where=/var/lib/archbuild
7 | Type=tmpfs
8 | Options=size=70%,mode=0755,strictatime
9 |
10 | [Install]
11 | WantedBy=local-fs.target
12 |
--------------------------------------------------------------------------------
/roles/archbuild/files/var-lib-archbuilddest.mount:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Build destinations
3 | Wants=strictatime@var-lib-archbuilddest.service
4 |
5 | [Mount]
6 | What=/var/lib/archbuilddest
7 | Where=/var/lib/archbuilddest
8 | Options=bind
9 |
10 | [Install]
11 | WantedBy=local-fs.target
12 |
--------------------------------------------------------------------------------
/roles/archbuild/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Daemon reload
2 | systemd_service:
3 | daemon-reload: true
4 |
--------------------------------------------------------------------------------
/roles/archive/defaults/main.yml:
--------------------------------------------------------------------------------
1 | archive_user_name: 'archive'
2 | archive_user_home: '/home/archive'
3 | archive_repo: '{{ archive_user_home }}/archive-uploader'
4 | archive_uploader_version: 'v0.15.4'
5 | archive_dir: '/srv/archive'
6 |
--------------------------------------------------------------------------------
/roles/archive/templates/archive-uploader.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Archive.org uploader
3 |
4 | [Service]
5 | User={{ archive_user_name }}
6 | Type=oneshot
7 | WorkingDirectory={{ archive_user_home }}
8 | ExecStart=/usr/bin/find /srv/archive/packages -mindepth 2 -maxdepth 2 -type d -exec "{{ archive_repo }}/upload_pkg_internetarchive.py" {} +
9 |
10 | LimitNOFILE=8192
11 |
12 | NoNewPrivileges=true
13 | TimeoutStartSec=6h
14 |
15 | #BindPaths={{ archive_user_home }}
16 |
17 | #ProtectHome=true
18 | #ProtectSystem=full
19 | ProtectKernelTunables=true
20 | ProtectKernelModules=true
21 | ProtectControlGroups=true
22 |
--------------------------------------------------------------------------------
/roles/archive/templates/archive-uploader.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Archive.org uploader
3 |
4 | [Timer]
5 | OnCalendar=hourly
6 | Persistent=true
7 |
8 | [Install]
9 | WantedBy=timers.target
10 |
--------------------------------------------------------------------------------
/roles/archive/templates/repos-archive-puller.service:
--------------------------------------------------------------------------------
1 | [Service]
2 | User={{ archive_user_name }}
3 | Type=oneshot
4 | ExecStart=rsync --recursive --times --ignore-existing --omit-dir-times --timeout=60 --contimeout=60 --no-motd --info=name1 rsync://repos.archlinux.org/archive/packages/ {{ archive_dir }}/packages
5 | ProtectSystem=strict
6 | ProtectHome=yes
7 | ReadWritePaths={{ archive_dir }}/packages
8 |
--------------------------------------------------------------------------------
/roles/archive/templates/repos-archive-puller.timer:
--------------------------------------------------------------------------------
1 | [Timer]
2 | OnCalendar=hourly
3 | RandomizedDelaySec=10m
4 | Persistent=true
5 |
6 | [Install]
7 | WantedBy=timers.target
8 |
--------------------------------------------------------------------------------
/roles/archive/templates/rsyncd.conf.j2:
--------------------------------------------------------------------------------
1 | use chroot = no
2 | syslog facility = local5
3 |
4 | [archive]
5 | path = /srv/archive
6 | comment = archive
7 | hosts allow = {{ groups['archive_mirrors'] | map('extract', hostvars, ['wireguard_address']) | join(' ') }}
8 |
--------------------------------------------------------------------------------
/roles/archive_web/defaults/main.yml:
--------------------------------------------------------------------------------
1 | archive_dir: '/srv/archive'
2 |
--------------------------------------------------------------------------------
/roles/archive_web/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Create ssl cert
2 | include_role:
3 | name: certificate
4 | vars:
5 | domains: ["{{ archive_domain }}"]
6 |
7 | - name: Set up nginx
8 | template:
9 | src: nginx.d.conf.j2
10 | dest: /etc/nginx/nginx.d/archive.conf
11 | owner: root
12 | group: root
13 | mode: '0644'
14 | notify:
15 | - Reload nginx
16 | tags: ['nginx']
17 |
18 | - name: Make nginx log dir
19 | file:
20 | path: /var/log/nginx/{{ archive_domain }}
21 | state: directory
22 | owner: root
23 | group: root
24 | mode: '0755'
25 |
--------------------------------------------------------------------------------
/roles/archmanweb/defaults/main.yml:
--------------------------------------------------------------------------------
1 | archmanweb_dir: '/srv/http/archmanweb'
2 | archmanweb_cache_dir: '{{ archmanweb_dir }}/cache'
3 | archmanweb_domain: 'man.archlinux.org'
4 | archmanweb_allowed_hosts: ["{{ archmanweb_domain }}"]
5 | archmanweb_nginx_conf: '/etc/nginx/nginx.d/archmanweb.conf'
6 | archmanweb_repository: 'https://gitlab.archlinux.org/archlinux/archmanweb.git'
7 | # archmanweb_pgp_key: ['932BA3FA0C86812A32D1F54DAB5964AEB9FEDDDC'] # Jakub Klinkovský (lahwaacz)
8 | archmanweb_forced_deploy: false
9 |
10 | archmanweb_db: 'archmanweb'
11 | archmanweb_db_host: 'localhost'
12 | archmanweb_db_user: 'archmanweb'
13 |
--------------------------------------------------------------------------------
/roles/archmanweb/files/robots.txt:
--------------------------------------------------------------------------------
1 | User-agent: *
2 | Disallow: /search?
3 | Disallow: /listing?
4 | Crawl-delay: 2
5 |
--------------------------------------------------------------------------------
/roles/archmanweb/templates/archmanweb.ini.j2:
--------------------------------------------------------------------------------
1 | [uwsgi]
2 | plugins = python
3 | chdir = {{ archmanweb_dir }}/repo
4 | module = wsgi:application
5 | socket = /run/uwsgi/archmanweb.sock
6 | chmod-socket = 660
7 | processes = 4
8 | threads = 1
9 | master = true
10 | uid = archmanweb
11 | gid = http
12 | thunder-lock = true
13 | daemonize = /var/log/uwsgi/archmanweb.log
14 | stats = /run/uwsgi/archmanweb-stats.sock
15 |
--------------------------------------------------------------------------------
/roles/archmanweb/templates/archmanweb_update.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Timer for the archmanweb update
3 |
4 | [Timer]
5 | OnCalendar=daily
6 | Persistent=true
7 | RandomizedDelaySec=1h
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/archweb/files/robots.txt:
--------------------------------------------------------------------------------
1 | User-agent: *
2 | Disallow: /packages/search/
3 | Disallow: /packages/?
4 | Disallow: /packages/?*
5 | Sitemap: https://www.archlinux.org/sitemap.xml
6 | Crawl-delay: 2
7 |
--------------------------------------------------------------------------------
/roles/archweb/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Daemon reload
2 | systemd_service:
3 | daemon-reload: true
4 |
5 | - name: Restart archweb memcached
6 | service: name=archweb-memcached state=restarted
7 |
--------------------------------------------------------------------------------
/roles/archweb/templates/archweb-mirrorcheck.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=archweb mirrorcheck
3 |
4 | [Timer]
5 | OnUnitActiveSec=1h
6 | OnBootSec=10min
7 | RandomizedDelaySec=1h
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/archweb/templates/archweb-mirrorresolv.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=archweb mirrorresolv timer
3 |
4 | [Timer]
5 | OnUnitActiveSec=12h
6 | OnBootSec=15min
7 | RandomizedDelaySec=10min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/archweb/templates/archweb-pgp_import-pacman-hook.j2:
--------------------------------------------------------------------------------
1 | [Trigger]
2 | Operation = Install
3 | Operation = Upgrade
4 | Type = Package
5 | Target = archlinux-keyring
6 |
7 | [Action]
8 | When = PostTransaction
9 | Exec = /usr/bin/systemctl start archweb-pgp_import
10 |
--------------------------------------------------------------------------------
/roles/archweb/templates/archweb-pgp_import.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=archweb pgp_import
3 |
4 | [Service]
5 | Type=oneshot
6 | User=archweb
7 | WorkingDirectory={{ archweb_dir }}
8 | ExecStart={{ archweb_dir }}/env/bin/python manage.py pgp_import {{ archweb_keyring }}
9 |
10 | [Install]
11 | WantedBy=multi-user.target
12 |
--------------------------------------------------------------------------------
/roles/archweb/templates/archweb-planet.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=archweb planet timer
3 |
4 | [Timer]
5 | OnUnitActiveSec=60m
6 | OnBootSec=15min
7 | RandomizedDelaySec=1min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/archweb/templates/archweb-populate_signoffs.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=archweb populate_signoffs service
3 | Wants=network-online.target
4 | After=network-online.target
5 |
6 | [Service]
7 | Type=oneshot
8 | User=archweb
9 | WorkingDirectory={{ archweb_dir }}
10 | ExecStart={{ archweb_dir }}/env/bin/python manage.py populate_signoffs -v0
11 |
12 | [Install]
13 | WantedBy=multi-user.target
14 |
--------------------------------------------------------------------------------
/roles/archweb/templates/archweb-populate_signoffs.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=archweb populate_signoffs timer
3 |
4 | [Timer]
5 | OnUnitActiveSec=20m
6 | OnBootSec=15min
7 | RandomizedDelaySec=1min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/archweb/templates/archweb-readlinks.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=archweb read links databases (for sonames)
3 | Wants=network-online.target
4 | After=network-online.target
5 |
6 | [Service]
7 | User=archweb
8 | WorkingDirectory={{ archweb_dir }}
9 | ExecStart={{ archweb_dir }}/env/bin/python manage.py readlinks_inotify
10 | Restart=on-failure
11 | Nice=5
12 |
13 | [Install]
14 | WantedBy=multi-user.target
15 |
--------------------------------------------------------------------------------
/roles/archweb/templates/archweb-rebuilderd.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=archweb rebuilderd timer
3 |
4 | [Timer]
5 | OnUnitActiveSec=60m
6 | OnBootSec=15min
7 | RandomizedDelaySec=1min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/archweb/templates/archweb-reporead.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=archweb reporead
3 | Wants=network-online.target
4 | After=network-online.target
5 |
6 | [Service]
7 | User=archweb
8 | WorkingDirectory={{ archweb_dir }}
9 | ExecStart={{ archweb_dir }}/env/bin/python manage.py reporead_inotify
10 | Restart=on-failure
11 | Nice=5
12 |
13 | [Install]
14 | WantedBy=multi-user.target
15 |
--------------------------------------------------------------------------------
/roles/archweb/templates/archweb-rsync_iso.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=archweb rsync iso service
3 | Wants=network-online.target
4 | After=network-online.target
5 |
6 | [Service]
7 | Type=oneshot
8 | User=archweb
9 | ExecStart=/usr/bin/rsync -rtlHq --delete-delay --delay-updates --safe-links --timeout=600 --contimeout=60 {{ archweb_rsync_iso_origin }} {{ archweb_rsync_iso_dir }}
10 |
11 | [Install]
12 | WantedBy=multi-user.target
13 |
--------------------------------------------------------------------------------
/roles/archweb/templates/archweb-rsync_iso.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=archweb rsync iso timer
3 |
4 | [Timer]
5 | OnUnitActiveSec=1h
6 | OnBootSec=10min
7 | RandomizedDelaySec=5min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/archweb/templates/archweb.ini.j2:
--------------------------------------------------------------------------------
1 | [uwsgi]
2 | plugins=python
3 | chdir={{ archweb_dir }}
4 | wsgi-file=archweb.wsgi
5 | socket=/run/uwsgi/archweb.sock
6 | chmod-socket=660
7 | virtualenv={{ archweb_dir }}/env
8 | processes=6
9 | threads=2
10 | master=true
11 | uid=archweb
12 | gid=http
13 | thunder-lock = true
14 | daemonize=/var/log/uwsgi/archweb.log
15 | stats=/run/uwsgi/archweb-stats.sock
16 |
--------------------------------------------------------------------------------
/roles/archweb/templates/donor_import_wrapper.sh.j2:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | sudo -u archweb {{ archweb_dir }}/env/bin/python {{ archweb_dir }}/manage.py donor_import
4 |
--------------------------------------------------------------------------------
/roles/archweb/templates/sudoers-fetchmail-archweb.j2:
--------------------------------------------------------------------------------
1 | fetchmail ALL=(archweb) NOPASSWD: {{ archweb_dir }}/env/bin/python {{ archweb_dir }}/manage.py donor_import
2 |
--------------------------------------------------------------------------------
/roles/archweb/templates/well-known-matrix-client.json.j2:
--------------------------------------------------------------------------------
1 | {
2 | "m.homeserver": {
3 | "base_url": "https://{{ matrix_domain }}"
4 | },
5 | "m.identity_server": {
6 | "base_url": "https://matrix.org"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/roles/archweb/templates/well-known-matrix-server.json.j2:
--------------------------------------------------------------------------------
1 | {
2 | "m.server": "{{ matrix_domain }}:443"
3 | }
4 |
--------------------------------------------------------------------------------
/roles/archwiki/files/robots.txt:
--------------------------------------------------------------------------------
1 | User-agent: *
2 | Disallow: /index.php?
3 | Disallow: /skins/
4 | Disallow: /title/File:
5 | Disallow: /title/Image:
6 | Disallow: /title/MediaWiki:
7 | Disallow: /title/Special:
8 | Disallow: /title/Template:
9 |
--------------------------------------------------------------------------------
/roles/archwiki/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | description: archwiki role
3 | standalone: false
4 |
5 | dependencies:
6 | - role: nginx
7 |
--------------------------------------------------------------------------------
/roles/archwiki/templates/archwiki-question-updater.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Update Archwiki pacman question answer
3 |
4 | [Service]
5 | Type=oneshot
6 | # %% is needed here to escape systemd's own templating
7 | ExecStart=/bin/bash -c 'LC_ALL=C pacman -V|sed -r "s#[0-9]+#$(date -u +%%m)#g"|base32|head -1 > "{{archwiki_question_answer_file}}"'
8 |
--------------------------------------------------------------------------------
/roles/archwiki/templates/archwiki-question-updater.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Monthly Timer to update the Archwiki pacman question
3 |
4 | [Timer]
5 | OnCalendar=*-*-1 00:00:00
6 | Persistent=true
7 |
8 | [Install]
9 | WantedBy=timers.target
10 |
--------------------------------------------------------------------------------
/roles/archwiki/templates/archwiki-runjobs-wait.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Archwiki runJobs Wait Service
3 | After=mysqld.service
4 |
5 | [Service]
6 | User={{ archwiki_user }}
7 | WorkingDirectory={{ archwiki_dir }}
8 | ExecStart=/usr/bin/php {{ archwiki_dir }}/public/maintenance/run.php runJobs -q --wait
9 | Restart=on-failure
10 |
11 | NoNewPrivileges=true
12 | ProtectHome=true
13 | ProtectSystem=true
14 | ProtectKernelTunables=true
15 | ProtectKernelModules=true
16 | ProtectControlGroups=true
17 |
18 | [Install]
19 | WantedBy=multi-user.target
20 |
--------------------------------------------------------------------------------
/roles/archwiki/templates/archwiki-runjobs.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Archwiki runJobs Service
3 |
4 | [Service]
5 | Type=oneshot
6 | User={{ archwiki_user }}
7 | WorkingDirectory={{ archwiki_dir }}
8 | ExecStart=/usr/bin/php {{ archwiki_dir }}/public/maintenance/run.php runJobs -q
9 |
10 | NoNewPrivileges=true
11 | ProtectHome=true
12 | ProtectSystem=true
13 | ProtectKernelTunables=true
14 | ProtectKernelModules=true
15 | ProtectControlGroups=true
16 |
--------------------------------------------------------------------------------
/roles/archwiki/templates/archwiki-runjobs.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Archwiki runJobs timer
3 | After=mysqld.service
4 |
5 | [Timer]
6 | OnUnitActiveSec=5min
7 | OnBootSec=5min
8 | RandomizedDelaySec=1min
9 |
10 | [Install]
11 | WantedBy=timers.target
12 |
--------------------------------------------------------------------------------
/roles/archwiki/templates/memcached.service.d-archwiki.conf.j2:
--------------------------------------------------------------------------------
1 | [Service]
2 | User={{ archwiki_user }}
3 | Group=memcached
4 | Environment=CACHESIZE={{ archwiki_memcached_memory }}
5 | Environment=LISTEN="-s {{ archwiki_memcached_socket }} -a 770"
6 | ProtectHome=true
7 |
--------------------------------------------------------------------------------
/roles/archwiki/templates/nginx-cache-purge.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=nginx cache PURGE service
3 |
4 | [Service]
5 | User=http
6 | ProtectSystem=strict
7 | ReadWritePaths=/var/lib/nginx/cache
8 | ExecStart=/usr/local/bin/nginx-cache-purge
9 |
10 | [Install]
11 | WantedBy=multi-user.target
12 |
--------------------------------------------------------------------------------
/roles/aurweb/files/robots.txt:
--------------------------------------------------------------------------------
1 | User-agent: *
2 | # block the search page from indexing, as the search is done via URL parameters
3 | Disallow: /packages?*
4 | # block all interactive things from being indexed, such as posting requests
5 | Disallow: /pkgbase/*
6 | # block all account pages from being indexed, as they require login anyways
7 | Disallow: /account/*
8 | # block the cgit interface except for the useful things
9 | Disallow: /cgit/aur.git/*
10 | Allow: /cgit/aur.git/tree
11 | Allow: /cgit/aur.git/log
12 | Crawl-delay: 2
13 |
--------------------------------------------------------------------------------
/roles/aurweb/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Daemon reload
2 | systemd_service:
3 | daemon-reload: true
4 |
5 | - name: Restart sshd
6 | service: name=sshd state=restarted
7 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb-aurblup.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Update aurweb blacklist
3 |
4 | [Timer]
5 | OnStartupSec=2h
6 | OnUnitActiveSec=2h
7 | RandomizedDelaySec=5min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb-git-archive.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Generate and update Git Archive repositories
3 |
4 | [Timer]
5 | # This is set to 10m intervals as of 09/26/2022. We'll be keeping
6 | # aurweb-mkpkglists around for two months after v6.1.5 deployment.
7 | # At that time (two months after deploy), this should be changed
8 | # to 5m intervals and aurweb-mkpkglists should be removed from use.
9 | OnStartupSec=10m
10 | OnUnitActiveSec=10m
11 |
12 | [Install]
13 | WantedBy=timers.target
14 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb-git-auth.sh.j2:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | cd "{{ aurweb_dir }}"
3 | source .venv/bin/activate
4 | exec aurweb-git-auth "$@"
5 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb-git-gc.sh.j2:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | find {{ aurweb_dir }} -maxdepth 1 -type d -name "*.git" -execdir sh -c 'cd {} && git gc' \;
4 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb-git-serve.sh.j2:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | cd "{{ aurweb_dir }}"
3 | source .venv/bin/activate
4 | exec aurweb-git-serve "$@"
5 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb-git-update.sh.j2:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | cd "{{ aurweb_dir }}"
3 | source .venv/bin/activate
4 | exec aurweb-git-update "$@"
5 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb-git.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Git gc AUR
3 |
4 | [Service]
5 | Type=oneshot
6 | User={{ aurweb_user }}
7 | WorkingDirectory={{ aurweb_dir }}
8 | ExecStart=/usr/local/bin/aurweb-git-gc.sh
9 | Nice=5
10 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb-git.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Git gc & repack AUR
3 |
4 | [Timer]
5 | OnCalendar=daily
6 | RandomizedDelaySec=1h
7 |
8 | [Install]
9 | WantedBy=timers.target
10 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb-github-mirror.service.j2:
--------------------------------------------------------------------------------
1 | [Service]
2 | Type=oneshot
3 | User={{ aurweb_user }}
4 | WorkingDirectory={{ aurweb_git_dir }}
5 | ExecStart=git push --force --all git@github.com:archlinux/aur.git
6 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb-github-mirror.timer.j2:
--------------------------------------------------------------------------------
1 | [Timer]
2 | OnCalendar=minutely
3 | RandomizedDelaySec=1m
4 |
5 | [Install]
6 | WantedBy=timers.target
7 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb-mkpkglists.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Regenerate aurweb package and user lists
3 |
4 | [Timer]
5 | OnStartupSec=5m
6 | OnUnitActiveSec=5m
7 |
8 | [Install]
9 | WantedBy=timers.target
10 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb-pkgmaint.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Delete old, empty reserved aurweb pkgbases
3 |
4 | [Timer]
5 | OnStartupSec=2h
6 | OnUnitActiveSec=2h
7 | RandomizedDelaySec=5min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb-popupdate.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Update aurweb per-package popularity counts
3 |
4 | [Timer]
5 | OnStartupSec=2h
6 | OnUnitActiveSec=2h
7 | RandomizedDelaySec=5min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb-usermaint.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Remove last login IP address of users who did not login since 7 days in aurweb
3 |
4 | [Timer]
5 | OnStartupSec=2h
6 | OnUnitActiveSec=2h
7 | RandomizedDelaySec=5min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb-votereminder.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Send aurweb vote reminder emails
3 |
4 | [Timer]
5 | OnStartupSec=12h
6 | OnUnitActiveSec=12h
7 |
8 | [Install]
9 | WantedBy=timers.target
10 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=aurweb asgi server
3 |
4 | [Service]
5 | RuntimeDirectory={{ aurweb_prom_dir }}
6 | Environment=PROMETHEUS_MULTIPROC_DIR=/run/{{ aurweb_prom_dir }}
7 | User={{ aurweb_user }}
8 | WorkingDirectory={{ aurweb_dir }}
9 | LimitNOFILE=2048
10 | ExecStart=/usr/bin/poetry run gunicorn \
11 | --log-config {{ aurweb_dir }}/logging.prod.conf \
12 | --bind {{ aurweb_asgi_bind }} \
13 | --workers {{ aurweb_workers }} \
14 | -k uvicorn.workers.UvicornWorker \
15 | aurweb.asgi:app
16 |
17 | [Install]
18 | WantedBy=multi-user.target
19 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/aurweb_config.j2:
--------------------------------------------------------------------------------
1 | Match User {{ aurweb_user }}
2 | PasswordAuthentication no
3 | AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth.sh "%t" "%k"
4 | AuthorizedKeysCommandUser {{ aurweb_user }}
5 | AcceptEnv AUR_OVERWRITE
6 | AllowTcpForwarding No
7 | AllowAgentForwarding No
8 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/cgit.ini.j2:
--------------------------------------------------------------------------------
1 | [uwsgi]
2 | plugins = cgi
3 | socket = {{ cgit_socket }}
4 | chown-socket = {{ aurweb_user }}:http
5 | chmod-socket = 770
6 | threads = 4
7 | daemonize = /var/log/uwsgi/cgit-aurweb.log
8 |
9 | cgi = /usr/share/webapps/cgit-aurweb/cgit.cgi
10 | uid = {{ aurweb_user }}
11 | gid = http
12 |
--------------------------------------------------------------------------------
/roles/aurweb/templates/smartgit.ini.j2:
--------------------------------------------------------------------------------
1 | [uwsgi]
2 | plugins = cgi
3 | socket = {{ smartgit_socket }}
4 | chown-socket = {{ aurweb_user }}:http
5 | chmod-socket = 770
6 | threads = 4
7 | cgi = /usr/lib/git-core/git-http-backend
8 | uid = {{ aurweb_user }}
9 | gid = http
10 | daemonize = /var/log/uwsgi/smartgit-aurweb.log
11 |
--------------------------------------------------------------------------------
/roles/borg_client/defaults/main.yml:
--------------------------------------------------------------------------------
1 | backup_hosts:
2 | - host: "ssh://u236610.your-storagebox.de:23"
3 | dir: "~/repo"
4 | suffix: ""
5 | borg_cmd: "/usr/bin/borg"
6 | - host: "ssh://zh1905@zh1905.rsync.net:22"
7 | dir: "~/backup/{{ inventory_hostname }}"
8 | suffix: "-offsite"
9 | borg_cmd: "/usr/bin/borg --remote-path=borg1"
10 |
11 | backup_postgres_dir: /root/backup-postgres
12 | backup_mysql_dir: /root/backup-mysql
13 | backup_mysql_defaults: /root/.backup-my.cnf
14 |
--------------------------------------------------------------------------------
/roles/borg_client/files/borg-backup-offsite.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Borg backup (offsite)
3 |
4 | [Service]
5 | Type=oneshot
6 | ExecStart=/usr/local/bin/borg-backup-offsite.sh
7 |
--------------------------------------------------------------------------------
/roles/borg_client/files/borg-backup.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Borg backup
3 |
4 | Wants=borg-backup-offsite.service
5 | Before=borg-backup-offsite.service
6 |
7 | [Service]
8 | Type=oneshot
9 | ExecStart=/usr/local/bin/borg-backup.sh
10 |
--------------------------------------------------------------------------------
/roles/borg_client/files/borg-backup.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Borg backup
3 |
4 | [Timer]
5 | OnCalendar=daily
6 | Persistent=true
7 | RandomizedDelaySec=1h
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/borg_client/templates/backup-my.cnf.j2:
--------------------------------------------------------------------------------
1 | [client]
2 | user = root
3 | password = "{{ vault_mariadb_users.root }}"
4 |
--------------------------------------------------------------------------------
/roles/borg_client/templates/backup-mysql.sh.j2:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | set -e
4 |
5 | mysql_opts="--defaults-file={{ backup_mysql_defaults }}"
6 | backupdir="{{ backup_mysql_dir }}"
7 |
8 | [[ ! -d "$backupdir" ]] && mkdir -p "$backupdir"
9 | rm -rf "${backupdir:?}"/*
10 | mariabackup $mysql_opts --backup --target-dir="$backupdir"
11 |
--------------------------------------------------------------------------------
/roles/borg_client/templates/borg.j2:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | BORG_REPO="{{ item['host'] }}/{{ item['dir'] }}" exec {{ item['borg_cmd'] }} "$@"
4 |
--------------------------------------------------------------------------------
/roles/bugbot/defaults/main.yml:
--------------------------------------------------------------------------------
1 | irc_host: 'irc.libera.chat'
2 | irc_port: '6697'
3 | irc_channel: '#archlinux-bugs'
4 | bugbot_version: '20200818'
5 | bugbot_pgp_keys: ['92D9C6CDE99A2024D690A76EE742683BA08CB2FF']
6 | bugbot_pgp_emails: ['foxboron@archlinux.org']
7 | bugbot_admins:
8 | - Foxboron
9 | - jelle
10 |
--------------------------------------------------------------------------------
/roles/bugbot/files/bugbot.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=The official Arch Linux IRC bugbot
3 |
4 | [Service]
5 | EnvironmentFile=/srv/bugbot/env
6 | ExecStart=/srv/bugbot/bugbot.py
7 | Restart=on-failure
8 | ProtectSystem=strict
9 | DynamicUser=yes
10 | PrivateDevices=true
11 | PrivateUsers=true
12 | ProtectKernelTunables=true
13 | ProtectControlGroups=true
14 | ProtectKernelLogs=true
15 | ProtectKernelModules=true
16 | MemoryDenyWriteExecute=true
17 | NoNewPrivileges=true
18 | RestrictRealtime=true
19 |
20 |
21 | [Install]
22 | WantedBy=multi-user.target
23 |
--------------------------------------------------------------------------------
/roles/bugbot/templates/bugbot.j2:
--------------------------------------------------------------------------------
1 | PYTHONUNBUFFERED=1
2 | ADMIN_NICKS="{{bugbot_admins | join(',')}}"
3 | IRC_HOST="{{irc_host}}"
4 | IRC_PORT="{{irc_port}}"
5 | IRC_CHANNEL="{{irc_channel}}"
6 |
7 | NICKSERV_IDENTIFY="{{ bugbot_identify_password }}"
8 | BUGTRACKER_USER="{{ bugtracker_user }}"
9 | BUGTRACKER_PASS="{{ bugtracker_pass }}"
10 |
--------------------------------------------------------------------------------
/roles/bugbuddy/defaults/main.yml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/archlinux/infrastructure/91384906a4fc7b69f7b32c341cbbdf47a7f72b2c/roles/bugbuddy/defaults/main.yml
--------------------------------------------------------------------------------
/roles/bugbuddy/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Daemon reload
2 | systemd_service:
3 | daemon-reload: true
4 |
--------------------------------------------------------------------------------
/roles/bugbuddy/templates/bugbuddy.conf.j2:
--------------------------------------------------------------------------------
1 | BUGBUDDY_GITLAB_TOKEN={{ vault_bugbuddy_gitlab_token }}
2 | BUGBUDDY_WEBHOOK_TOKEN={{ vault_bugbuddy_webhook_token }}
3 |
--------------------------------------------------------------------------------
/roles/certbot/defaults/main.yml:
--------------------------------------------------------------------------------
1 | certbot_dns_support: false
2 |
--------------------------------------------------------------------------------
/roles/certbot/files/certbot-renewal.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Let's Encrypt renewal
3 |
4 | [Service]
5 | Type=oneshot
6 | ExecStart=/usr/bin/certbot renew \
7 | --no-random-sleep-on-renew \
8 | --pre-hook "/etc/letsencrypt/hook.sh pre" \
9 | --post-hook "/etc/letsencrypt/hook.sh post" \
10 | --renew-hook "/etc/letsencrypt/hook.sh renew"
11 |
--------------------------------------------------------------------------------
/roles/certbot/files/certbot-renewal.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Daily renewal of Let's Encrypt's certificates
3 |
4 | [Timer]
5 | OnCalendar=daily
6 | RandomizedDelaySec=24h
7 | Persistent=true
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/certbot/files/hook.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | for f in /etc/letsencrypt/hook.d/*; do
3 | if test -x "$f"; then
4 | "$f" "$@"
5 | fi
6 | done
7 |
--------------------------------------------------------------------------------
/roles/certbot/templates/rfc2136.ini.j2:
--------------------------------------------------------------------------------
1 | dns_rfc2136_server = {{ dyn_dns_server }}
2 | dns_rfc2136_name = {{ certbot_tsig_name }}
3 | dns_rfc2136_secret = {{ dyn_dns_keys[certbot_tsig_name].secret }}
4 | dns_rfc2136_algorithm = {{ dyn_dns_keys[certbot_tsig_name].algorithm | upper }}
5 |
--------------------------------------------------------------------------------
/roles/certificate/defaults/main.yml:
--------------------------------------------------------------------------------
1 | certificate_challenge: "HTTP-01"
2 | certificate_contact_email: "webmaster@archlinux.org"
3 |
--------------------------------------------------------------------------------
/roles/chrony/files/chronyd:
--------------------------------------------------------------------------------
1 | OPTIONS=-r
2 |
--------------------------------------------------------------------------------
/roles/chrony/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart chronyd
2 | service: name=chronyd state=restarted
3 |
--------------------------------------------------------------------------------
/roles/chrony/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Install chrony
2 | pacman: name=chrony state=present
3 |
4 | - name: Create sysconfig directory for chronyd environment file
5 | file: path=/etc/sysconfig state=directory owner=root group=root mode=755
6 |
7 | - name: Install chrony configuration
8 | copy: src={{ item.src }} dest={{ item.dest }} owner=root group=root mode=0644
9 | loop:
10 | - { src: chronyd, dest: /etc/sysconfig/chronyd }
11 | - { src: chrony.conf, dest: /etc/chrony.conf }
12 | notify: Restart chronyd
13 |
14 | - name: Start and enable chronyd
15 | service: name=chronyd enabled=yes state=started
16 |
--------------------------------------------------------------------------------
/roles/common/defaults/main.yml:
--------------------------------------------------------------------------------
1 | configure_network: false
2 | enable_zram_swap: false
3 | zram_fraction: 1.0
4 |
--------------------------------------------------------------------------------
/roles/common/files/oomd-override_-.slice.conf:
--------------------------------------------------------------------------------
1 | [Slice]
2 | ManagedOOMSwap=kill
3 |
--------------------------------------------------------------------------------
/roles/common/files/oomd-override_user@.service.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | ManagedOOMMemoryPressure=kill
3 | ManagedOOMMemoryPressureLimit=60%
4 |
--------------------------------------------------------------------------------
/roles/common/files/smartd.conf:
--------------------------------------------------------------------------------
1 | DEVICESCAN -s S/../.././02
2 |
--------------------------------------------------------------------------------
/roles/common/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart journald
2 | systemd_service:
3 | name: systemd-journald
4 | state: restarted
5 | daemon_reload: true
6 |
7 | - name: Systemd daemon-reload
8 | systemd_service:
9 | daemon_reload: true
10 |
11 | - name: Restart systemd-zram-setup@zram0
12 | systemd_service: name=systemd-zram-setup@zram0 state=restarted daemon_reload=yes
13 |
--------------------------------------------------------------------------------
/roles/common/meta/main.yml:
--------------------------------------------------------------------------------
1 | dependencies:
2 | - role: chrony
3 |
--------------------------------------------------------------------------------
/roles/common/templates/journald.conf.j2:
--------------------------------------------------------------------------------
1 | [Journal]
2 | RateLimitBurst=100000
3 | SystemMaxFiles=10000
4 | ForwardToWall=no
5 |
--------------------------------------------------------------------------------
/roles/common/templates/locale.conf.j2:
--------------------------------------------------------------------------------
1 | LANG=C.UTF-8
2 |
--------------------------------------------------------------------------------
/roles/common/templates/mirrorlist.j2:
--------------------------------------------------------------------------------
1 | {% if 'buildservers' in group_names %}
2 | Server = https://repos.archlinux.org/$repo/os/$arch
3 | {% endif %}
4 | {% if 'mirrors' in group_names or inventory_hostname == 'repos.archlinux.org' %}
5 | Server = file:///srv/ftp/$repo/os/$arch
6 | {% endif %}
7 | Server = https://mirror.pkgbuild.com/$repo/os/$arch
8 |
--------------------------------------------------------------------------------
/roles/common/templates/system.conf.j2:
--------------------------------------------------------------------------------
1 | [Manager]
2 | RuntimeWatchdogSec=5min
3 |
--------------------------------------------------------------------------------
/roles/common/templates/zram-generator.conf:
--------------------------------------------------------------------------------
1 | [zram0]
2 | max-zram-size = none
3 | zram-fraction = {{ zram_fraction }}
4 |
--------------------------------------------------------------------------------
/roles/dbscripts/files/archive-cleanup.timer:
--------------------------------------------------------------------------------
1 | [Timer]
2 | OnCalendar=daily
3 | Persistent=true
4 |
5 | [Install]
6 | WantedBy=timers.target
7 |
--------------------------------------------------------------------------------
/roles/dbscripts/files/archive-index.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | # Fail-safe in case this is accidentally deployed on an archive server
3 | ConditionPathExists=!/srv/archive/repos
4 |
5 | [Service]
6 | User=archive
7 | Type=oneshot
8 | ExecStart=/srv/repos/git-packages/dbscripts/cron-jobs/archive-index
9 | ProtectSystem=strict
10 | ProtectHome=yes
11 | ReadWritePaths=/srv/archive
12 |
--------------------------------------------------------------------------------
/roles/dbscripts/files/archive-index.timer:
--------------------------------------------------------------------------------
1 | [Timer]
2 | OnCalendar=hourly
3 | Persistent=true
4 |
5 | [Install]
6 | WantedBy=timers.target
7 |
--------------------------------------------------------------------------------
/roles/dbscripts/files/cleanup.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Cleanup
3 |
4 | [Service]
5 | Type=oneshot
6 | User=cleanup
7 | ExecStart=/srv/repos/git-packages/dbscripts/cron-jobs/ftpdir-cleanup
8 |
9 | CapabilityBoundingSet=
10 | PrivateDevices=true
11 | PrivateNetwork=true
12 | NoNewPrivileges=true
13 | ProtectSystem=strict
14 | ProtectHome=true
15 | PrivateTmp=true
16 | ReadWritePaths=/srv/ftp/ /srv/repos/git-packages /srv/repos/lock
17 |
--------------------------------------------------------------------------------
/roles/dbscripts/files/cleanup.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Cleanup
3 |
4 | [Timer]
5 | OnBootSec=15min
6 | OnUnitActiveSec=3h
7 |
8 | [Install]
9 | WantedBy=timers.target
10 |
--------------------------------------------------------------------------------
/roles/dbscripts/files/createlinks.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Create sogrep database
3 | RequiresMountsFor=/srv/ftp
4 |
5 | [Service]
6 | Type=oneshot
7 | ExecStart=/usr/local/bin/createlinks
8 | Nice=19
9 | IOSchedulingClass=best-effort
10 | IOSchedulingPriority=7
11 |
--------------------------------------------------------------------------------
/roles/dbscripts/files/createlinks.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Daily creation of sogrep DB
3 |
4 | [Timer]
5 | OnCalendar=daily
6 | AccuracySec=24h
7 | Persistent=true
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/dbscripts/files/gen_rsyncd.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Generate rsync config for mirrors
3 |
4 | [Service]
5 | Type=oneshot
6 | User=root
7 | ExecStart=/etc/rsyncd-conf-genscripts/gen_rsyncd.conf.pl
8 |
--------------------------------------------------------------------------------
/roles/dbscripts/files/gen_rsyncd.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Generate rsync config for mirrors
3 |
4 | [Timer]
5 | OnBootSec=15min
6 | OnUnitActiveSec=1h
7 |
8 | [Install]
9 | WantedBy=timers.target
10 |
--------------------------------------------------------------------------------
/roles/dbscripts/files/gitconfig:
--------------------------------------------------------------------------------
1 | # vim:set ft=gitconfig noet sw=0 sts=-1:
2 |
3 | [safe]
4 | directory = *
5 |
--------------------------------------------------------------------------------
/roles/dbscripts/files/lastsync.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=lastsync
3 |
4 | [Service]
5 | Type=oneshot
6 | ExecStart=/usr/bin/bash -c "date +%%s > /srv/ftp/lastsync.tmp && \
7 | mv /srv/ftp/lastsync.tmp /srv/ftp/lastsync"
8 |
--------------------------------------------------------------------------------
/roles/dbscripts/files/lastsync.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=lastsync
3 |
4 | [Timer]
5 | OnBootSec=1min
6 | OnUnitActiveSec=1min
7 |
8 | [Install]
9 | WantedBy=timers.target
10 |
--------------------------------------------------------------------------------
/roles/dbscripts/files/sourceballs.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Sourceballs
3 |
4 | [Service]
5 | Type=oneshot
6 | User=sourceballs
7 | ExecStart=/srv/repos/git-packages/dbscripts/cron-jobs/sourceballs
8 |
--------------------------------------------------------------------------------
/roles/dbscripts/files/sourceballs.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Sourceballs
3 |
4 | [Timer]
5 | OnBootSec=15min
6 | OnUnitActiveSec=8h
7 |
8 | [Install]
9 | WantedBy=timers.target
10 |
--------------------------------------------------------------------------------
/roles/dbscripts/files/sudoers.d:
--------------------------------------------------------------------------------
1 | %dev ALL = (archive) NOPASSWD: /packages/db-archive
2 | %junior-dev ALL = (archive) NOPASSWD: /packages/db-archive
3 | %packager ALL = (archive) NOPASSWD: /packages/db-archive
4 | %junior-packager ALL = (archive) NOPASSWD: /packages/db-archive
5 |
--------------------------------------------------------------------------------
/roles/dbscripts/templates/authorized_keys-group.j2:
--------------------------------------------------------------------------------
1 | #jinja2: lstrip_blocks: True
2 | {% for user in arch_users | sort %}
3 | {% for group in pubkey_groups | sort %}
4 | {% if group in arch_users[user].groups %}
5 | {% set keys = lookup('file', '../pubkeys/'+user+'.pub').split("\n") %}
6 | {% for key in keys | sort %}
7 | {% if "command" not in key -%}
8 | command="/usr/bin/svnserve --tunnel-user={{user}} -t",restrict {{key}}
9 | {% endif %}
10 | {% endfor %}
11 | {% endif %}
12 | {% endfor %}
13 | {% endfor %}
14 |
--------------------------------------------------------------------------------
/roles/dbscripts/templates/authors.conf.j2:
--------------------------------------------------------------------------------
1 | #jinja2: lstrip_blocks: True
2 | {% set ns = namespace(packager=false) %}
3 | {% for user in arch_users | sort %}
4 | {% set ns.packager = false %}
5 | {% for group in packager_groups | sort %}
6 | {% if group in arch_users[user].groups %}
7 | {% set ns.packager = true %}
8 | {% endif %}
9 | {% endfor %}
10 | {% if ns.packager is sameas true %}
11 | {{ arch_users[user].name }} <{{ arch_users[user].email }}> {{ user }}
12 | {% endif %}
13 | {% endfor %}
14 |
--------------------------------------------------------------------------------
/roles/debuginfod/defaults/main.yml:
--------------------------------------------------------------------------------
1 | debuginfod_httpd: false
2 | debuginfod_domain: debuginfod.archlinux.org
3 | debuginfod_port: 8002
4 | debuginfod_database: /var/cache/debuginfod/debuginfod.sqlite
5 | debuginfod_package_paths:
6 | - /srv/ftp/pool/packages-debug
7 |
--------------------------------------------------------------------------------
/roles/debuginfod/files/archlinux.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/archlinux/infrastructure/91384906a4fc7b69f7b32c341cbbdf47a7f72b2c/roles/debuginfod/files/archlinux.png
--------------------------------------------------------------------------------
/roles/debuginfod/files/packagelist.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Synchronize package list
3 |
4 | [Service]
5 | Type=oneshot
6 | ExecStart=/usr/bin/bash -c "find /srv/ftp/pool/*-debug/ -type f -not -name *.sig > /srv/http/debuginfod/packages"
7 |
--------------------------------------------------------------------------------
/roles/debuginfod/files/packagelist.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Sync package lists every minute
3 |
4 | [Timer]
5 | OnCalendar=minutely
6 | AccuracySec=1m
7 | Persistent=true
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/debuginfod/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Daemon reload
2 | systemd_service:
3 | daemon-reload: true
4 |
--------------------------------------------------------------------------------
/roles/dovecot/files/dovecot-cleanup.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Daily Dovecot cleanup
3 |
4 | [Service]
5 | Type=oneshot
6 | ExecStart=/usr/bin/doveadm purge -A
7 |
--------------------------------------------------------------------------------
/roles/dovecot/files/dovecot-cleanup.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Daily Dovecot cleanup
3 |
4 | [Timer]
5 | OnCalendar=00:05:00
6 |
7 | [Install]
8 | WantedBy=timers.target
9 |
--------------------------------------------------------------------------------
/roles/dovecot/files/shared-mailboxes:
--------------------------------------------------------------------------------
1 | mediation-team:::::::
2 |
--------------------------------------------------------------------------------
/roles/dovecot/files/shared-mailboxes-acl:
--------------------------------------------------------------------------------
1 | antiz_mediation-team:::::/home/vmail/shared-mailboxes/mediation-team::user=antiz
2 | gromit_mediation-team:::::/home/vmail/shared-mailboxes/mediation-team::user=gromit
3 | serebit_mediation-team:::::/home/vmail/shared-mailboxes/mediation-team::user=serebit
4 |
--------------------------------------------------------------------------------
/roles/dovecot/files/spam-to-folder.sieve:
--------------------------------------------------------------------------------
1 | require ["mailbox", "fileinto"];
2 | if header "X-Spam" "Yes"{
3 | fileinto :create "Junk";
4 | stop;
5 | }
6 |
--------------------------------------------------------------------------------
/roles/dovecot/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Reload dovecot
2 | service: name=dovecot state=restarted
3 |
4 | - name: Run sievec # noqa no-changed-when
5 | command: /usr/bin/sievec /etc/dovecot/sieve/{{ item }}
6 | loop:
7 | - spam-to-folder.sieve
8 |
--------------------------------------------------------------------------------
/roles/dovecot/templates/letsencrypt.hook.d.j2:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | test "$1" = renew || exit 0
4 |
5 | check_domain="{{ mail_domain }}"
6 |
7 | for domain in $RENEWED_DOMAINS; do
8 | case "$domain" in
9 | $check_domain)
10 | systemctl reload dovecot
11 | ;;
12 | esac
13 | done
14 |
--------------------------------------------------------------------------------
/roles/dyn_dns/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart powerdns
2 | service: name=pdns state=restarted
3 |
--------------------------------------------------------------------------------
/roles/dyn_dns/templates/pdns.conf.j2:
--------------------------------------------------------------------------------
1 | setgid=powerdns
2 | setuid=powerdns
3 | local-address={{ ipv4_address }},{{ ipv6_address }}
4 | webserver=yes
5 | webserver-address=0.0.0.0
6 | webserver-allow-from=127.0.0.1,::1,{{ hostvars['monitoring.archlinux.org']['wireguard_address'] }}
7 | launch=gsqlite3
8 | gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
9 | dnsupdate=yes
10 | lua-dnsupdate-policy-script=/etc/powerdns/dnsupdate-policy.lua
11 |
--------------------------------------------------------------------------------
/roles/fail2ban/defaults/main.yml:
--------------------------------------------------------------------------------
1 | # by default only the sshd jail is enabled
2 | # override this variable in a host/group file to enable additional jails
3 | fail2ban_jails:
4 | sshd: true
5 | postfix: false
6 | dovecot: false
7 | nginx_limit_req: false
8 |
9 | # use variables for these directives so they can be overridden at a host or
10 | # group level as required. note that there cannot be a space between the
11 | # integer and the unit (eg "15min" == good, "15 min" == bad).
12 | # refer to `man jail.conf`
13 | fail2ban_findtime: 15min
14 | fail2ban_bantime: 1day
15 | fail2ban_maxretry: 5
16 |
--------------------------------------------------------------------------------
/roles/fail2ban/files/fail2ban.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/roles/fail2ban/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart fail2ban
2 | systemd_service:
3 | name: fail2ban
4 | state: restarted
5 |
6 | - name: Reload fail2ban jails # noqa no-changed-when
7 | shell: type fail2ban-server > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null || true) || true
8 |
--------------------------------------------------------------------------------
/roles/fail2ban/templates/dovecot.jail.j2:
--------------------------------------------------------------------------------
1 | #
2 | # {{ansible_managed}}
3 | #
4 |
5 | [dovecot]
6 | enabled = true
7 | findtime = 3600 ; 1 hour
8 | maxretry = 8
9 |
--------------------------------------------------------------------------------
/roles/fail2ban/templates/fail2ban.local.j2:
--------------------------------------------------------------------------------
1 | #
2 | # {{ansible_managed}}
3 | #
4 |
5 | [Definition]
6 |
7 | # we need to override the default pid path to /run instead of /var/run
8 | pidfile = /run/fail2ban/fail2ban.pid
9 |
10 | # redirect to send the log to journald
11 | logtarget = SYSLOG
12 |
--------------------------------------------------------------------------------
/roles/fail2ban/templates/fail2ban.service.j2:
--------------------------------------------------------------------------------
1 | # the user journal files exceeds MaxNOFiles so increase the
2 | # maximum number of open files
3 | # Refer: https://github.com/fail2ban/fail2ban/issues/2208
4 |
5 | [Service]
6 | LimitNOFILE=8192
7 |
--------------------------------------------------------------------------------
/roles/fail2ban/templates/firewallcmd-ipset-allports.conf.j2:
--------------------------------------------------------------------------------
1 | #
2 | # {{ansible_managed}}
3 | #
4 |
5 | [Definition]
6 |
7 | actionban = firewall-cmd --ipset=fail2ban --add-entry=
8 | actionunban = firewall-cmd --ipset=fail2ban --remove-entry=
9 |
--------------------------------------------------------------------------------
/roles/fail2ban/templates/nginx-limit-req.jail.j2:
--------------------------------------------------------------------------------
1 | #
2 | # {{ansible_managed}}
3 | #
4 |
5 | [nginx-limit-req]
6 |
7 | enabled = true
8 | filter = nginx-limit-req
9 | action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
10 | logpath = /var/log/nginx/*/error.log
11 | findtime = 5min
12 | bantime = 1hours
13 | maxretry = 10
14 | # Do not fail2ban archweb's rss limit.
15 | ignoreregex = rsslimit
16 |
--------------------------------------------------------------------------------
/roles/fail2ban/templates/postfix.jail.j2:
--------------------------------------------------------------------------------
1 | #
2 | # {{ansible_managed}}
3 | #
4 |
5 | [postfix]
6 | mode = aggressive
7 | enabled = true
8 | findtime = 3600 ; 1 hour
9 | maxretry = 8
10 |
--------------------------------------------------------------------------------
/roles/fail2ban/templates/sshd.jail.j2:
--------------------------------------------------------------------------------
1 | #
2 | # {{ansible_managed}}
3 | #
4 |
5 | [sshd]
6 | enabled = true
7 |
--------------------------------------------------------------------------------
/roles/fetchmail/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart fetchmail
2 | service: name=fetchmail state=restarted
3 |
--------------------------------------------------------------------------------
/roles/fetchmail/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Install fetchmail
2 | pacman: name=fetchmail state=present
3 |
4 | - name: Template fetchmail config
5 | template: src=fetchmailrc.j2 dest=/etc/fetchmailrc owner=fetchmail group=nobody mode=600
6 | notify:
7 | - Restart fetchmail
8 |
9 | - name: Start and enable fetchmail
10 | service: name=fetchmail enabled=yes state=started
11 |
--------------------------------------------------------------------------------
/roles/fetchmail/templates/fetchmailrc.j2:
--------------------------------------------------------------------------------
1 | set postmaster "postmaster@archlinux.org"
2 | set bouncemail
3 | set no spambounce
4 | set daemon 10
5 | set syslog
6 |
7 | poll mail.archlinux.org
8 | bad-header accept
9 | proto imap
10 | user {{ fetchmail_user }}
11 | password {{ fetchmail_password }}
12 | options idle sslcertck ssl sslproto "TLS1.2+" limitflush limit 25000000 fetchall
13 | mda "{{ fetchmail_delivery_cmd }}"
14 |
--------------------------------------------------------------------------------
/roles/firewalld/handlers/main.yml:
--------------------------------------------------------------------------------
1 | # NOTE: hack for a systemd bug (restarting firewalld.service fails due to fail2ban.service)
2 | # https://github.com/systemd/systemd/issues/2830
3 | # https://bugzilla.opensuse.org/show_bug.cgi?id=1146856
4 | # - name: Restart firewalld
5 | # service: name=firewalld state=restarted
6 | - name: Stop firewalld
7 | service: name=firewalld state=stopped
8 | listen: Restart firewalld
9 | - name: Start firewalld
10 | service: name=firewalld state=started
11 | listen: Restart firewalld
12 |
--------------------------------------------------------------------------------
/roles/fluxbb/defaults/main.yml:
--------------------------------------------------------------------------------
1 | fluxbb_domain: bbs.archlinux.org
2 | fluxbb_dir: /srv/http/fluxbb
3 |
4 | fluxbb_cookie_name: flux_cookie_eezohm0o
5 | fluxbb_funnyquestion_hash: aixuGahCh4eng3bu
6 | fluxbb_version: 4cac14210ef108f32cf41c5ec3978f09d115f816
7 |
--------------------------------------------------------------------------------
/roles/fluxbb/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart php-fpm@fluxbb
2 | systemd_service: name=php-fpm@fluxbb.service state=restarted
3 |
--------------------------------------------------------------------------------
/roles/geo_dns/files/geoipupdate-pdns-reload.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | ExecStartPost=+-/usr/bin/pdns_control reload
3 |
--------------------------------------------------------------------------------
/roles/geo_dns/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart powerdns
2 | service: name=pdns state=restarted
3 |
--------------------------------------------------------------------------------
/roles/geo_dns/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | description: geo_dns role
3 | standalone: false
4 |
5 | dependencies:
6 | - role: geoipupdate
7 |
--------------------------------------------------------------------------------
/roles/geo_dns/templates/pdns.conf.j2:
--------------------------------------------------------------------------------
1 | setgid=powerdns
2 | setuid=powerdns
3 | local-address={{ ipv4_address }},{{ ipv6_address }}
4 | webserver=yes
5 | webserver-address=0.0.0.0
6 | webserver-allow-from=127.0.0.1,::1,{{ hostvars['monitoring.archlinux.org']['wireguard_address'] }}
7 | launch=geoip
8 | geoip-database-files=/var/lib/GeoIP/GeoLite2-City.mmdb
9 | geoip-zones-file=/etc/powerdns/geo.yml
10 | enable-lua-records
11 | lua-health-checks-interval=60
12 | edns-subnet-processing=yes
13 |
--------------------------------------------------------------------------------
/roles/geoipupdate/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Install geoipupdate
2 | pacman: name=geoipupdate state=present
3 | register: installation
4 |
5 | - name: Configure geoipupdate
6 | template: src=GeoIP.conf.j2 dest=/etc/GeoIP.conf owner=root group=root mode=0600
7 | register: configuration
8 |
9 | - name: Run geoipupdate after installation or configuration change
10 | systemd_service: name=geoipupdate state=restarted
11 | when: installation is changed or configuration is changed
12 |
13 | - name: Start and enable geoipupdate.timer
14 | systemd_service: name=geoipupdate.timer enabled=yes state=started
15 |
--------------------------------------------------------------------------------
/roles/geoipupdate/templates/GeoIP.conf.j2:
--------------------------------------------------------------------------------
1 | AccountID {{ vault_mirror_maxmind_id }}
2 | LicenseKey {{ vault_mirror_maxmind_license }}
3 |
4 | EditionIDs GeoLite2-Country GeoLite2-City
5 |
--------------------------------------------------------------------------------
/roles/gitlab/files/gitlab-bot-token-extender.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=GitLab Bot Token Extender
3 |
4 | [Service]
5 | Type=oneshot
6 | ExecStart=/usr/bin/docker exec -t gitlab gitlab-rails runner /opt/gitlab-scripts/gitlab-bot-token-extender.rb
7 |
--------------------------------------------------------------------------------
/roles/gitlab/files/gitlab-bot-token-extender.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=GitLab Bot Token Extender
3 |
4 | [Timer]
5 | OnCalendar=weekly
6 | Persistent=true
7 | RandomizedDelaySec=24h
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/gitlab/files/gitlab-cleanup.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=GitLab Cleanup
3 |
4 | [Timer]
5 | OnCalendar=daily
6 | Persistent=true
7 | RandomizedDelaySec=1h
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/gitlab/templates/gitlab-bot-token-extender.rb.j2:
--------------------------------------------------------------------------------
1 | bots = [{{ gitlab_bots | map("to_json") | join(', ') }}]
2 |
3 | bots.each do |username|
4 | puts "Bot user: #{username}"
5 | user = User.find_by_username(username)
6 | user.project_members.update_all(expires_at: 12.months.from_now)
7 | user.personal_access_tokens.update_all(expires_at: 12.months.from_now)
8 | end
9 |
--------------------------------------------------------------------------------
/roles/gitlab_runner/defaults/main.yml:
--------------------------------------------------------------------------------
1 | gitlab_runner_libvirt_vm_memory: 2048
2 |
--------------------------------------------------------------------------------
/roles/gitlab_runner/files/daemon.json:
--------------------------------------------------------------------------------
1 | {
2 | "ipv6": true,
3 | "fixed-cidr-v6": "fd00::/80",
4 | "cgroup-parent": "docker.slice",
5 | "log-driver": "journald",
6 | "default-ulimits": {
7 | "nofile": {
8 | "Name": "nofile",
9 | "Hard": 524288,
10 | "Soft": 1024
11 | }
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/roles/gitlab_runner/files/docker.slice:
--------------------------------------------------------------------------------
1 | [Slice]
2 | MemoryMax=95%
3 |
--------------------------------------------------------------------------------
/roles/gitlab_runner/files/gitlab-runner-docker-cleanup.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Cleanup containers, images and volumes produced by GitLab Runner
3 |
4 | [Service]
5 | Type=oneshot
6 | ExecStart=docker system prune --force --filter label=com.gitlab.gitlab-runner.managed=true
7 | ExecStart=docker volume prune --all --force --filter label=com.gitlab.gitlab-runner.managed=true
8 | ExecStart=docker image prune --all --force --filter until=168h
9 |
--------------------------------------------------------------------------------
/roles/gitlab_runner/files/gitlab-runner-docker-cleanup.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Run gitlab-runner-docker-cleanup.service daily
3 |
4 | [Timer]
5 | OnCalendar=weekly
6 | Persistent=true
7 | RandomizedDelaySec=1d
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/gitlab_runner/files/libvirt-executor-fetch-image.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Fetch libvirt-executor image
3 | Wants=network-online.target
4 | After=network-online.target nss-lookup.target
5 |
6 | [Service]
7 | Type=oneshot
8 | ExecStart=/usr/local/bin/libvirt-executor-fetch-image
9 |
--------------------------------------------------------------------------------
/roles/gitlab_runner/files/libvirt-executor-fetch-image.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Run libvirt-executor-fetch-image.service daily
3 |
4 | [Timer]
5 | # One hour after the "Nightly build" pipeline
6 | # https://gitlab.archlinux.org/archlinux/arch-boxes/-/pipeline_schedules
7 | OnCalendar=06:00 UTC
8 | Persistent=true
9 | RandomizedDelaySec=1h
10 |
11 | [Install]
12 | WantedBy=timers.target
13 |
--------------------------------------------------------------------------------
/roles/gitlab_runner/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Systemd daemon-reload
2 | systemd_service: daemon_reload=yes
3 |
4 | - name: Restart gitlab-runner
5 | service: name=gitlab-runner state=restarted
6 |
7 | - name: Restart gitlab-runner-docker-cleanup.timer
8 | systemd_service: name=gitlab-runner-docker-cleanup.timer state=restarted daemon_reload=yes
9 |
10 | - name: Restart docker
11 | service: name=docker state=restarted
12 |
--------------------------------------------------------------------------------
/roles/gluebuddy/files/gluebuddy.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=gluebuddy timer
3 |
4 | [Timer]
5 | OnUnitActiveSec=30min
6 | OnBootSec=5min
7 | RandomizedDelaySec=1min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/gluebuddy/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Daemon reload
2 | systemd_service:
3 | daemon-reload: true
4 |
--------------------------------------------------------------------------------
/roles/gluebuddy/templates/gluebuddy.conf.j2:
--------------------------------------------------------------------------------
1 | GLUEBUDDY_GITLAB_TOKEN={{ vault_gitlab_gluebuddy_token }}
2 | GLUEBUDDY_KEYCLOAK_USERNAME=gluebuddy
3 | GLUEBUDDY_KEYCLOAK_PASSWORD={{ vault_keycloak_gluebuddy_openid_client_secret }}
4 | GLUEBUDDY_KEYCLOAK_REALM=archlinux
5 | GLUEBUDDY_KEYCLOAK_URL=https://accounts.archlinux.org
6 | GLUEBUDDY_GITLAB_BOT_USERS={{ gitlab_bots|join(',') }}
7 |
--------------------------------------------------------------------------------
/roles/grafana/defaults/main.yml:
--------------------------------------------------------------------------------
1 | grafana_domain: "grafana.archlinux.org"
2 | grafana_anonymous_access: false
3 |
--------------------------------------------------------------------------------
/roles/grafana/files/public-dashboards/archive.json:
--------------------------------------------------------------------------------
1 | ../dashboards/archive.json
--------------------------------------------------------------------------------
/roles/grafana/files/public-dashboards/aur.json:
--------------------------------------------------------------------------------
1 | ../dashboards/aur.json
--------------------------------------------------------------------------------
/roles/grafana/files/public-dashboards/debuginfod.json:
--------------------------------------------------------------------------------
1 | ../dashboards/debuginfod.json
--------------------------------------------------------------------------------
/roles/grafana/files/public-dashboards/geo_mirrors.json:
--------------------------------------------------------------------------------
1 | ../dashboards/geo_mirrors.json
--------------------------------------------------------------------------------
/roles/grafana/files/public-dashboards/goaurrpc.json:
--------------------------------------------------------------------------------
1 | ../dashboards/goaurrpc.json
--------------------------------------------------------------------------------
/roles/grafana/files/public-dashboards/rebuilderd.json:
--------------------------------------------------------------------------------
1 | ../dashboards/rebuilderd.json
--------------------------------------------------------------------------------
/roles/grafana/files/public-dashboards/repository.json:
--------------------------------------------------------------------------------
1 | ../dashboards/repository.json
--------------------------------------------------------------------------------
/roles/grafana/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart grafana
2 | service: name=grafana state=restarted
3 |
--------------------------------------------------------------------------------
/roles/grafana/templates/dashboard.yaml.j2:
--------------------------------------------------------------------------------
1 | apiVersion: 1
2 |
3 | providers:
4 | - name: 'default'
5 | orgId: 1
6 | folder: ''
7 | folderUid: ''
8 | editable: false
9 | allowUiUpdates: false
10 | type: file
11 | options:
12 | {% if grafana_anonymous_access %}
13 | path: /var/lib/grafana/public-dashboards
14 | {% else %}
15 | path: /var/lib/grafana/dashboards
16 | {% endif %}
17 | foldersFromFilesStructure: true
18 |
19 |
--------------------------------------------------------------------------------
/roles/hardening/files/50-bpf_jit_harden.conf:
--------------------------------------------------------------------------------
1 | net.core.bpf_jit_harden = 2
2 |
--------------------------------------------------------------------------------
/roles/hardening/files/50-dmesg-restrict.conf:
--------------------------------------------------------------------------------
1 | kernel.dmesg_restrict = 1
2 |
--------------------------------------------------------------------------------
/roles/hardening/files/50-kexec_load_disabled.conf:
--------------------------------------------------------------------------------
1 | kernel.kexec_load_disabled = 1
2 |
--------------------------------------------------------------------------------
/roles/hardening/files/50-kptr-restrict.conf:
--------------------------------------------------------------------------------
1 | kernel.kptr_restrict = 2
2 |
--------------------------------------------------------------------------------
/roles/hardening/files/50-lockdown.conf:
--------------------------------------------------------------------------------
1 | w! /sys/kernel/security/lockdown - - - - integrity
2 |
--------------------------------------------------------------------------------
/roles/hardening/files/50-ptrace-restrict.conf:
--------------------------------------------------------------------------------
1 | kernel.yama.ptrace_scope = 2
2 |
--------------------------------------------------------------------------------
/roles/hardening/files/50-unprivileged_bpf_disabled.conf:
--------------------------------------------------------------------------------
1 | kernel.unprivileged_bpf_disabled = 1
2 |
--------------------------------------------------------------------------------
/roles/hardening/files/50-unprivileged_userns_clone.conf:
--------------------------------------------------------------------------------
1 | kernel.unprivileged_userns_clone = 0
2 |
--------------------------------------------------------------------------------
/roles/hardening/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Apply sysctl settings # noqa no-changed-when
2 | command: sysctl --system
3 |
--------------------------------------------------------------------------------
/roles/hedgedoc/defaults/main.yml:
--------------------------------------------------------------------------------
1 | hedgedoc_nginx_conf: /etc/nginx/nginx.d/hedgedoc.conf
2 | hedgedoc_domain: md.archlinux.org
3 |
--------------------------------------------------------------------------------
/roles/hetzner_storagebox/templates/authorized_keys.j2:
--------------------------------------------------------------------------------
1 | #jinja2: lstrip_blocks: True
2 | # Arch DevOps keys
3 | {% for user in root_ssh_keys | sort(attribute="key") -%}
4 | {% if user.hosts is not defined or inventory_hostname in user.hosts -%}
5 | {{ lookup('file', role_path + '/../../pubkeys/' + user.key ) }}
6 | {% if user.additional_keys is defined %}
7 | {% for key in user.additional_keys | sort -%}
8 | {{ lookup('file', role_path + '/../../pubkeys/' + key ) }}
9 | {% endfor %}
10 | {% endif %}
11 | {% endif %}
12 | {% endfor %}
13 |
--------------------------------------------------------------------------------
/roles/hetzner_storagebox/templates/authorized_keys_client.j2:
--------------------------------------------------------------------------------
1 | restrict {{ item['stdout'] }}
2 |
--------------------------------------------------------------------------------
/roles/install_arch/files/ec2-public-keys:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 |
3 | import os
4 | from pathlib import Path
5 |
6 | import requests
7 |
8 | data = requests.get("http://169.254.169.254/2009-04-04/meta-data/public-keys")
9 | data.raise_for_status()
10 |
11 | path = Path("/root/.ssh/authorized_keys")
12 | path.parent.mkdir(mode=0o700, exist_ok=True)
13 | os.chmod(path.parent, 0o700)
14 |
15 | with open(path, "w") as file:
16 | for key in data.json():
17 | file.write(f"{key}\n")
18 | os.chmod(path, 0o600)
19 |
--------------------------------------------------------------------------------
/roles/install_arch/files/ec2-public-keys.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Fetch SSH public keys from the metadata service
3 | Before=sshd.service
4 | After=systemd-networkd-wait-online.service
5 | ConditionFirstBoot=yes
6 |
7 | [Service]
8 | Type=oneshot
9 | RemainAfterExit=yes
10 | ExecStart=/usr/local/bin/ec2-public-keys
11 |
12 | [Install]
13 | WantedBy=multi-user.target
14 |
--------------------------------------------------------------------------------
/roles/install_arch/files/pacman-init.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Initializes Pacman keyring
3 | Before=sshd.service
4 | ConditionFirstBoot=yes
5 |
6 | [Service]
7 | Type=oneshot
8 | RemainAfterExit=yes
9 | ExecStart=/usr/bin/pacman-key --init
10 | ExecStart=/usr/bin/pacman-key --populate archlinux
11 |
12 | [Install]
13 | WantedBy=multi-user.target
14 |
--------------------------------------------------------------------------------
/roles/install_arch/templates/mirrorlist.j2:
--------------------------------------------------------------------------------
1 | ../../common/templates/mirrorlist.j2
--------------------------------------------------------------------------------
/roles/install_arch/templates/sshd_config.j2:
--------------------------------------------------------------------------------
1 | ../../sshd/templates/sshd_config.j2
--------------------------------------------------------------------------------
/roles/keycloak/defaults/main.yml:
--------------------------------------------------------------------------------
1 | keycloak_db_name: keycloak
2 | keycloak_domain: accounts.archlinux.org
3 | keycloak_port: "8080"
4 | keycloak_nginx_htpasswd: /etc/nginx/auth/prometheus
5 |
--------------------------------------------------------------------------------
/roles/keycloak/files/create-keycloak-admin.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | EnvironmentFile=-/etc/keycloak/admin-user.conf
3 |
--------------------------------------------------------------------------------
/roles/keycloak/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart keycloak
2 | service: name=keycloak state=restarted
3 |
4 | - name: Daemon reload
5 | systemd_service:
6 | daemon-reload: true
7 |
--------------------------------------------------------------------------------
/roles/keycloak/templates/admin-user.conf.j2:
--------------------------------------------------------------------------------
1 | KEYCLOAK_ADMIN="{{ vault_keycloak_admin_user }}"
2 | KEYCLOAK_ADMIN_PASSWORD="{{ vault_keycloak_admin_password }}"
3 |
--------------------------------------------------------------------------------
/roles/libvirt/files/images.xml:
--------------------------------------------------------------------------------
1 |
2 | images
3 |
4 | /var/lib/libvirt/images
5 |
6 |
7 |
--------------------------------------------------------------------------------
/roles/loki/files/loki-override.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | MemoryHigh=5.5G
3 | MemoryMax=6G
4 | ManagedOOMMemoryPressure=kill
5 | ManagedOOMMemoryPressureLimit=60%
6 |
--------------------------------------------------------------------------------
/roles/loki/files/rules.yaml:
--------------------------------------------------------------------------------
1 | groups:
2 | - name: NginxRules
3 | interval: 1m
4 | rules:
5 | - record: instance_http_version_tls_version_tls_cipher:requests:rate1m
6 | expr: 'sum by (instance, http_version, tls_version, tls_cipher) (rate({job="nginx"}[1m] | json http_version="server_protocol", tls_version="ssl_protocol", tls_cipher="ssl_cipher"))'
7 | - record: instance_cache_status:requests:rate1m
8 | expr: 'sum by (instance, cache_status) (rate({job="nginx"}[1m] | json cache_status="upstream_cache_status"))'
9 |
--------------------------------------------------------------------------------
/roles/loki/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart loki
2 | service: name=loki state=restarted
3 |
--------------------------------------------------------------------------------
/roles/mailman/files/aliases:
--------------------------------------------------------------------------------
1 | root root@archlinux.org
2 | MAILER-DAEMON postmaster@archlinux.org
3 | postmaster postmaster@archlinux.org
4 | abuse abuse@archlinux.org
5 |
--------------------------------------------------------------------------------
/roles/mailman/files/mailman.patch:
--------------------------------------------------------------------------------
1 | --- a/usr/lib/python3.10/site-packages/mailman/handlers/avoid_duplicates.py
2 | +++ b/usr/lib/python3.10/site-packages/mailman/handlers/avoid_duplicates.py
3 | @@ -113,7 +113,3 @@
4 | newrecips.add(r)
5 | # Set the new list of recipients. XXX recips should always be a set.
6 | msgdata['recipients'] = list(newrecips)
7 | - # RFC 2822 specifies zero or one CC header
8 | - del msg['cc']
9 | - if cc_addresses:
10 | - msg['CC'] = COMMASPACE.join(cc_addresses.values())
11 |
--------------------------------------------------------------------------------
/roles/mailman/files/milter_header_checks:
--------------------------------------------------------------------------------
1 | # We don't have a Junk folder for mailman so reject mails which are probably spam
2 | /^X-Spam: Yes$/ REJECT Your message has been rejected by Rspamd
3 |
--------------------------------------------------------------------------------
/roles/mailman/files/patch-mailman.hook:
--------------------------------------------------------------------------------
1 | [Trigger]
2 | Operation = Install
3 | Operation = Upgrade
4 | Type = Package
5 | Target = mailman3
6 |
7 | [Action]
8 | Description = Patch mailman to not modify the CC header
9 | When = PostTransaction
10 | Exec = /usr/bin/bash -c "patch /usr/lib/python*/site-packages/mailman/handlers/avoid_duplicates.py /usr/local/share/mailman.patch"
11 |
--------------------------------------------------------------------------------
/roles/mailman/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Reload mailman
2 | service: name=mailman3 state=reloaded
3 |
4 | - name: Restart mailman-web
5 | service: name=uwsgi@mailman\\x2dweb.service state=restarted
6 |
7 | - name: Reload postfix
8 | service: name=postfix state=reloaded
9 |
10 | - name: Run postmap # noqa no-changed-when
11 | command: postmap /etc/postfix/{{ item }}
12 | loop:
13 | - aliases
14 |
--------------------------------------------------------------------------------
/roles/mailman/templates/mailman.cfg.j2:
--------------------------------------------------------------------------------
1 | [mailman]
2 | site_owner: root@{{ lists_domain }}
3 | layout: fhs
4 |
5 | [database]
6 | class: mailman.database.postgresql.PostgreSQLDatabase
7 | url: postgresql://{{ vault_mailman_db_user }}:{{ vault_mailman_db_password }}@/mailman
8 |
9 | [webservice]
10 | admin_user: {{ vault_mailman_admin_user }}
11 | admin_pass: {{ vault_mailman_admin_pass }}
12 |
13 | [archiver.hyperkitty]
14 | class: mailman_hyperkitty.Archiver
15 | enable: yes
16 | configuration: /etc/mailman-hyperkitty.cfg
17 |
--------------------------------------------------------------------------------
/roles/maintenance/defaults/main.yml:
--------------------------------------------------------------------------------
1 | maintenance_logs_dir: '/var/log/nginx/maintenance'
2 | maintenance_http_dir: '/srv/http/maintenance'
3 |
--------------------------------------------------------------------------------
/roles/mariadb/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart mariadb
2 | service: name=mariadb state=restarted
3 |
--------------------------------------------------------------------------------
/roles/mariadb/templates/client.cnf.j2:
--------------------------------------------------------------------------------
1 | [client]
2 | user=root
3 | password={{ vault_mariadb_users.root }}
4 |
--------------------------------------------------------------------------------
/roles/matrix/files/draupnir.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Draupnir Matrix moderation tool
3 | Wants=synapse.service
4 | After=network.target synapse.service
5 |
6 | [Service]
7 | User=synapse
8 | WorkingDirectory=/var/lib/synapse/draupnir
9 | Environment=NODE_ENV=production
10 | ExecStart=/usr/bin/node lib/index.js --draupnir-config /etc/synapse/draupnir.yaml
11 | Restart=on-failure
12 | RestartSec=30s
13 |
14 | [Install]
15 | WantedBy=multi-user.target
16 |
17 | # vim:set ft=systemd sw=2 sts=-1 et:
18 |
--------------------------------------------------------------------------------
/roles/matrix/files/letsencrypt.hook.d:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | test "$1" = renew || exit 0
4 |
5 | systemctl try-reload-or-restart turnserver
6 |
--------------------------------------------------------------------------------
/roles/matrix/files/matrix-appservice-irc.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Matrix IRC Bridge
3 | Requires=postgresql.service
4 | Wants=synapse.service
5 | After=network.target postgresql.service synapse.service
6 |
7 | [Service]
8 | User=synapse
9 | WorkingDirectory=/var/lib/synapse/matrix-appservice-irc
10 | ExecStart=/usr/bin/node --dns-result-order=ipv4first app.js \
11 | -c /etc/synapse/irc-bridge.yaml \
12 | -f /etc/synapse/appservice-registration-irc.yaml
13 | AmbientCapabilities=CAP_NET_BIND_SERVICE
14 |
15 | [Install]
16 | WantedBy=multi-user.target
17 |
18 | # vim:set ft=systemd sw=2 sts=-1 et:
19 |
--------------------------------------------------------------------------------
/roles/matrix/files/pg_hba.conf:
--------------------------------------------------------------------------------
1 | local all postgres peer
2 | host all postgres 127.0.0.1/32 md5
3 | host all postgres ::1/128 md5
4 |
5 | local sameuser all md5
6 | host sameuser all 127.0.0.1/32 md5
7 | host sameuser all ::1/128 md5
8 |
9 | local irc synapse md5
10 |
--------------------------------------------------------------------------------
/roles/matrix/files/turnserver.service.d:
--------------------------------------------------------------------------------
1 | [Service]
2 | User=root
3 |
4 | # vim:set ft=systemd sw=2 sts=-1 et:
5 |
--------------------------------------------------------------------------------
/roles/matrix/files/worker-appservice.yaml:
--------------------------------------------------------------------------------
1 | worker_name: appservice
2 | worker_app: synapse.app.generic_worker
3 | worker_listeners:
4 | - port: 8020
5 | type: metrics
6 | bind_addresses: ['127.0.0.1']
7 |
8 | # vim:set sw=2 sts=-1 et:
9 |
--------------------------------------------------------------------------------
/roles/matrix/files/worker-federation_reader.yaml:
--------------------------------------------------------------------------------
1 | worker_name: federation_reader
2 | worker_app: synapse.app.generic_worker
3 | worker_listeners:
4 | - port: 8011
5 | type: http
6 | x_forwarded: true
7 | bind_addresses: ['::1', '127.0.0.1']
8 | resources:
9 | - names: [federation]
10 | compress: false
11 | - port: 8021
12 | type: metrics
13 | bind_addresses: ['127.0.0.1']
14 |
15 | # vim:set sw=2 sts=-1 et:
16 |
--------------------------------------------------------------------------------
/roles/matrix/files/worker-federation_sender.yaml:
--------------------------------------------------------------------------------
1 | worker_name: federation_sender
2 | worker_app: synapse.app.generic_worker
3 | worker_listeners:
4 | - port: 8022
5 | type: metrics
6 | bind_addresses: ['127.0.0.1']
7 |
8 | # vim:set sw=2 sts=-1 et:
9 |
--------------------------------------------------------------------------------
/roles/matrix/files/worker-media_repository.yaml:
--------------------------------------------------------------------------------
1 | worker_name: media_repository
2 | worker_app: synapse.app.media_repository
3 | worker_listeners:
4 | - port: 8013
5 | type: http
6 | x_forwarded: true
7 | bind_addresses: ['::1', '127.0.0.1']
8 | resources:
9 | - names: [media, client, federation]
10 | compress: false
11 | - port: 8023
12 | type: metrics
13 | bind_addresses: ['127.0.0.1']
14 |
15 | # vim:set sw=2 sts=-1 et:
16 |
--------------------------------------------------------------------------------
/roles/memcached/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Install memcached
2 | pacman: name=memcached state=present
3 |
4 | - name: Put memcached.conf into tmpfiles
5 | template: src=memcached-tmpfiles.d.j2 dest=/etc/tmpfiles.d/memcached.conf owner=root group=root mode=0644
6 | register: memcachedtmpfiles
7 |
8 | - name: Use tmpfiles.d/memcached.conf
9 | command: systemd-tmpfiles --create creates=/run/memcached
10 | when: memcachedtmpfiles.changed
11 |
--------------------------------------------------------------------------------
/roles/memcached/templates/memcached-tmpfiles.d.j2:
--------------------------------------------------------------------------------
1 | d /run/memcached 0775 memcached memcached - -
2 |
--------------------------------------------------------------------------------
/roles/mirrorsync/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Install rsync
2 | pacman: name=rsync state=present
3 |
4 | - name: Set up synchronization
5 | include_tasks: sync.yml
6 | loop: "{{ mirrorsync_mirrors | dict2items }}"
7 | loop_control:
8 | label: "{{ item.key }}"
9 | when: inventory_hostname in item.value.hosts
10 |
11 | - name: Set up nginx
12 | include_tasks: web.yml
13 | loop: "{{ mirrorsync_mirrors | dict2items }}"
14 | loop_control:
15 | label: "{{ item.key }}"
16 | when:
17 | - item.value.mirror_domain is defined
18 | - inventory_hostname in item.value.hosts
19 |
--------------------------------------------------------------------------------
/roles/mirrorsync/tasks/web.yml:
--------------------------------------------------------------------------------
1 | - name: Create ssl cert for {{ item.value.mirror_domain }}
2 | include_role:
3 | name: certificate
4 | vars:
5 | domains: ["{{ item.value.mirror_domain }}"]
6 | challenge: "DNS-01"
7 |
8 | - name: Configure nginx for {{ item.value.mirror_domain }}
9 | template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/{{ item.key }}.conf owner=root group=root mode=0644
10 | notify: Reload nginx
11 | tags: ['nginx']
12 |
13 | - name: Make nginx log dir for {{ item.value.mirror_domain }}
14 | file: path=/var/log/nginx/{{ item.value.mirror_domain }} state=directory owner=root group=root mode=0755
15 |
--------------------------------------------------------------------------------
/roles/mirrorsync/templates/mirrorsync.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Synchronize {{ item.key }} mirror
3 | RequiresMountsFor={{ item.value.target }}
4 | Wants=network-online.target
5 | After=network-online.target
6 |
7 | [Service]
8 | Type=oneshot
9 | ExecStart=/usr/local/bin/sync{{ item.key }}
10 | Nice=19
11 | IOSchedulingClass=best-effort
12 | IOSchedulingPriority=7
13 |
--------------------------------------------------------------------------------
/roles/mirrorsync/templates/mirrorsync.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Minutely {{ item.key }} mirror sync
3 |
4 | [Timer]
5 | OnCalendar=minutely
6 | AccuracySec=1m
7 | Persistent=true
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/mta_sts/defaults/main.yml:
--------------------------------------------------------------------------------
1 | mta_sts:
2 | - mx:
3 | - mail.archlinux.org
4 | domains:
5 | - archlinux.org
6 | - aur.archlinux.org
7 | - master-key.archlinux.org
8 | - mx:
9 | - lists.archlinux.org
10 | domains:
11 | - lists.archlinux.org
12 |
--------------------------------------------------------------------------------
/roles/mta_sts/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Create ssl cert
2 | include_role:
3 | name: certificate
4 | vars:
5 | domains: "{{ ['mta-sts.'] | product(item.domains) | map('join') }}"
6 | loop: "{{ mta_sts }}"
7 |
8 | - name: Make nginx log dir
9 | file: path=/var/log/nginx/{{ "mta-sts." + item.domains | first }} state=directory owner=root group=root mode=0755
10 | loop: "{{ mta_sts }}"
11 |
12 | - name: Set up nginx
13 | template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mta-sts.conf" owner=root group=root mode=644
14 | notify: Reload nginx
15 | tags: ['nginx']
16 |
--------------------------------------------------------------------------------
/roles/mumble_server/files/restart-mumble-server.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | if [[ "$1" == "renew" ]]; then
3 | systemctl restart mumble-server
4 | elif [[ "$1" == "post" ]]; then
5 | install -v -o _mumble-server -g _mumble-server -m 640 /etc/letsencrypt/live/mumble.archlinux.org/cert.pem /var/lib/mumble-server/cert.pem
6 | install -v -o _mumble-server -g _mumble-server -m 640 /etc/letsencrypt/live/mumble.archlinux.org/privkey.pem /var/lib/mumble-server/privkey.pem
7 | install -v -o _mumble-server -g _mumble-server -m 640 /etc/letsencrypt/live/mumble.archlinux.org/fullchain.pem /var/lib/mumble-server/fullchain.pem
8 | fi
9 |
--------------------------------------------------------------------------------
/roles/mumble_server/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart mumble-server
2 | service: name=mumble-server state=restarted
3 |
--------------------------------------------------------------------------------
/roles/networking/defaults/main.yml:
--------------------------------------------------------------------------------
1 | chroot_path: ""
2 | network_interface: "en*"
3 | network_disable_ipv4_tcp_fast_open: false
4 |
--------------------------------------------------------------------------------
/roles/networking/files/50-tcp_fastopen.conf:
--------------------------------------------------------------------------------
1 | net.ipv4.tcp_fastopen=0
2 |
--------------------------------------------------------------------------------
/roles/networking/files/dns.conf:
--------------------------------------------------------------------------------
1 | [DHCPv4]
2 | UseDNS=false
3 |
4 | [DHCPv6]
5 | UseDNS=false
6 |
7 | [IPv6AcceptRA]
8 | UseDNS=false
9 |
10 | [Network]
11 | DNS=9.9.9.9#dns.quad9.net
12 | DNS=149.112.112.112#dns.quad9.net
13 | DNS=2620:fe::fe#dns.quad9.net
14 | DNS=2620:fe::9#dns.quad9.net
15 | DNSOverTLS=true
16 |
--------------------------------------------------------------------------------
/roles/networking/files/hcloud-init.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Apply configuration from HCloud metadata
3 | ConditionVirtualization=kvm
4 | After=systemd-networkd-wait-online.service
5 | Before=network-online.target
6 | Wants=network-online.target
7 | ConditionPathExists=!/etc/systemd/network/10-dhcp-ethernet.network.d/hcloud.conf
8 |
9 | [Service]
10 | ExecStart=/usr/local/bin/hcloud-init
11 | Type=oneshot
12 | RemainAfterExit=yes
13 |
14 | [Install]
15 | WantedBy=multi-user.target
16 |
--------------------------------------------------------------------------------
/roles/networking/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart networkd
2 | systemd_service:
3 | name: systemd-networkd
4 | state: restarted
5 | daemon_reload: true
6 | when: chroot_path | length == 0
7 |
8 | - name: Restart systemd-sysctl
9 | systemd_service:
10 | name: systemd-sysctl
11 | state: restarted
12 | daemon_reload: true
13 | when: chroot_path | length == 0
14 |
--------------------------------------------------------------------------------
/roles/networking/templates/10-dhcp-ethernet.network.j2:
--------------------------------------------------------------------------------
1 | [Match]
2 | Name={{ network_interface }}
3 |
4 | [Network]
5 | DHCP=yes
6 | Domains=archlinux.org.
7 |
--------------------------------------------------------------------------------
/roles/networking/templates/10-static6-ethernet.network.j2:
--------------------------------------------------------------------------------
1 | [Match]
2 | Name={{ ipv6_interface }}
3 |
4 | [Network]
5 | Gateway={{ ipv6_gateway }}
6 | {% if ipv6_ignore_ra|default(false) is true %}
7 | IPv6AcceptRA=false
8 | {% endif %}
9 |
10 | [Address]
11 | {% if ipv6_netmask != "/64" %}
12 | Peer={{ ipv6_gateway }}/128
13 | {% endif %}
14 | Address={{ ipv6_address }}{{ ipv6_netmask }}
15 |
--------------------------------------------------------------------------------
/roles/networking/templates/additional_addresses.conf.j2:
--------------------------------------------------------------------------------
1 | # Additional addresses to add to the default interface
2 |
3 | {% for address in additional_addresses %}
4 | [Address]
5 | Address={{ address }}
6 |
7 | {% endfor %}
8 |
--------------------------------------------------------------------------------
/roles/nginx/defaults/main.yml:
--------------------------------------------------------------------------------
1 | letsencrypt_validation_dir: "/var/lib/letsencrypt"
2 | nginx_firewall_zone:
3 | nginx_extra_modules: []
4 | nginx_enable_http3: false
5 |
--------------------------------------------------------------------------------
/roles/nginx/files/logrotate.conf:
--------------------------------------------------------------------------------
1 | /var/log/nginx/*/*.log {
2 | missingok
3 | notifempty
4 | create 640 http log
5 | sharedscripts
6 | compress
7 | size 100M
8 | rotate 20
9 | postrotate
10 | test ! -r /run/nginx.pid || kill -USR1 `cat /run/nginx.pid`
11 | endscript
12 | }
13 |
14 | # The json files are consumed by promtail so we don't need to keep them around for long
15 | /var/log/nginx/*/*.json {
16 | missingok
17 | notifempty
18 | create 640 http log
19 | sharedscripts
20 | compress
21 | size 10M
22 | rotate 5
23 | postrotate
24 | test ! -r /run/nginx.pid || kill -USR1 `cat /run/nginx.pid`
25 | endscript
26 | }
27 |
--------------------------------------------------------------------------------
/roles/nginx/files/nginx.service.d/local.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | StandardOutput=null
3 |
--------------------------------------------------------------------------------
/roles/nginx/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Reload nginx
2 | service: name=nginx state=reloaded
3 |
--------------------------------------------------------------------------------
/roles/nginx/meta/main.yml:
--------------------------------------------------------------------------------
1 | dependencies:
2 | - role: geoipupdate
3 | when: "'geoip2' in (nginx_extra_modules | map(attribute='name') )"
4 |
--------------------------------------------------------------------------------
/roles/nginx/templates/headers.conf:
--------------------------------------------------------------------------------
1 | add_header Strict-Transport-Security $hsts_header always;
2 | {% if nginx_enable_http3 %}
3 | add_header Alt-Svc $alt_svc_header always;
4 | {% endif %}
5 |
--------------------------------------------------------------------------------
/roles/nginx/templates/letsencrypt.conf:
--------------------------------------------------------------------------------
1 | location /.well-known/acme-challenge/ {
2 | root {{ letsencrypt_validation_dir }};
3 | default_type "text/plain";
4 | try_files $uri =404;
5 | }
6 |
--------------------------------------------------------------------------------
/roles/nginx/templates/letsencrypt.hook.d.j2:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | test "$1" = renew || exit 0
4 |
5 | systemctl reload nginx
6 |
--------------------------------------------------------------------------------
/roles/nginx/templates/listen-443.conf.j2:
--------------------------------------------------------------------------------
1 | listen 443 ssl;
2 | listen [::]:443 ssl;
3 | {% if nginx_enable_http3 %}
4 | listen 443 quic;
5 | listen [::]:443 quic;
6 | {% endif %}
7 | http2 on;
8 |
--------------------------------------------------------------------------------
/roles/nginx/templates/nginx-hostname-vhost.conf.j2:
--------------------------------------------------------------------------------
1 | server {
2 | listen 80 default_server;
3 | listen [::]:80 default_server;
4 | listen 443 default_server ssl;
5 | listen [::]:443 default_server ssl;
6 | {% if nginx_enable_http3 %}
7 | listen 443 default_server quic reuseport;
8 | listen [::]:443 default_server quic reuseport;
9 | {% endif %}
10 | http2 on;
11 | ssl_reject_handshake on;
12 | root /srv/http;
13 |
14 | include snippets/letsencrypt.conf;
15 |
16 | location / {
17 | return 404;
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/roles/opensearch/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart opensearch
2 | systemd_service: name=opensearch state=restarted
3 |
--------------------------------------------------------------------------------
/roles/php_fpm/defaults/main.yml:
--------------------------------------------------------------------------------
1 | php_extensions:
2 | - curl
3 | - zip
4 |
5 | zend_extensions:
6 | - opcache
7 |
--------------------------------------------------------------------------------
/roles/php_fpm/files/php-fpm@.socket:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=PHP-FPM socket for %i
3 |
4 | [Socket]
5 | ListenStream=/run/php-fpm/%i.socket
6 | SocketMode=0660
7 | SocketUser=%i
8 | SocketGroup=http
9 |
10 | [Install]
11 | WantedBy=sockets.target
12 |
--------------------------------------------------------------------------------
/roles/php_fpm/handlers/main.yaml:
--------------------------------------------------------------------------------
1 | - name: Daemon reload
2 | systemd_service:
3 | daemon-reload: true
4 |
--------------------------------------------------------------------------------
/roles/php_fpm/tasks/main.yaml:
--------------------------------------------------------------------------------
1 | - name: Install php-fpm
2 | pacman: name=php-fpm,php-gd,php-pgsql state=present
3 |
4 | - name: Install php-fpm units
5 | copy: >
6 | src={{ item }} dest=/etc/systemd/system/{{ item }}
7 | owner=root group=root mode=0644
8 | loop:
9 | - php-fpm@.socket
10 | - php-fpm@.service
11 | notify: Daemon reload
12 |
13 | - name: Configure default php.ini
14 | template: >
15 | src=php.ini.j2 dest=/etc/php/php.ini
16 | owner=root group=root mode=0644
17 |
--------------------------------------------------------------------------------
/roles/phrik/files/20-manage-phrik.rules:
--------------------------------------------------------------------------------
1 | polkit.addRule(function(action, subject) {
2 | if (action.id == "org.freedesktop.systemd1.manage-units" &&
3 | action.lookup("unit") == "phrik.service" &&
4 | subject.isInGroup("phrik")) {
5 | return polkit.Result.YES;
6 | }
7 | });
8 |
--------------------------------------------------------------------------------
/roles/phrik/files/phrik.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=The official Arch Linux IRC bot
3 |
4 | [Service]
5 | ExecStart=/home/phrik/venv/bin/supybot /home/phrik/phrik/phrik.conf
6 | Restart=on-failure
7 | NoNewPrivileges=true
8 | ProtectSystem=full
9 | User=phrik
10 |
11 | [Install]
12 | WantedBy=multi-user.target
13 |
--------------------------------------------------------------------------------
/roles/phrik/files/sudoers:
--------------------------------------------------------------------------------
1 | # Allow everyone in the phrik group to run any command as phrik
2 | %phrik ALL = (phrik) NOPASSWD: ALL
3 |
--------------------------------------------------------------------------------
/roles/ping/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ping_domain: 'ping.archlinux.org'
2 |
--------------------------------------------------------------------------------
/roles/ping/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Create ssl cert
2 | include_role:
3 | name: certificate
4 | vars:
5 | domains: ["{{ ping_domain }}"]
6 |
7 | - name: Make nginx log dir
8 | file: path=/var/log/nginx/{{ ping_domain }} state=directory owner=root group=root mode=0755
9 |
10 | - name: Set up nginx
11 | template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/ping.conf" owner=root group=root mode=644
12 | notify: Reload nginx
13 | tags: ['nginx']
14 |
--------------------------------------------------------------------------------
/roles/postfix/defaults/main.yml:
--------------------------------------------------------------------------------
1 | mail_domain: "mail.archlinux.org"
2 |
3 | postfix_wiki_bounce_mail_handler: "/usr/local/bin/wiki-bouncehandler.pl"
4 | postfix_wiki_bounce_user: "wiki_bouncehandler"
5 | postfix_wiki_bounce_config: "/etc/wiki-bouncehandler.conf"
6 |
--------------------------------------------------------------------------------
/roles/postfix/files/domains:
--------------------------------------------------------------------------------
1 | # mydomain shouldn't be listed here
2 | #archlinux.org a
3 | aur.archlinux.org a
4 | master-key.archlinux.org a
5 |
6 |
--------------------------------------------------------------------------------
/roles/postfix/files/msa_header_checks:
--------------------------------------------------------------------------------
1 | /^Received:/ IGNORE
2 | /^User-Agent:/ IGNORE
3 |
--------------------------------------------------------------------------------
/roles/postfix/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart postfix
2 | service:
3 | name: postfix
4 | state: restarted
5 |
6 | - name: Reload postfix # noqa no-changed-when
7 | command: postfix reload
8 |
9 | - name: Postmap additional files # noqa no-changed-when
10 | command: postmap /etc/postfix/{{ item }}
11 | loop:
12 | - domains
13 | - msa_header_checks
14 |
15 | - name: Update aliases db # noqa no-changed-when
16 | command: postalias /etc/postfix/aliases
17 |
--------------------------------------------------------------------------------
/roles/postfix/templates/letsencrypt.hook.d.j2:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | test "$1" = renew || exit 0
4 |
5 | check_domain="{{ mail_domain }}"
6 |
7 | for domain in $RENEWED_DOMAINS; do
8 | case "$domain" in
9 | $check_domain)
10 | systemctl reload postfix
11 | ;;
12 | esac
13 | done
14 |
--------------------------------------------------------------------------------
/roles/postfix/templates/transport.pcre.j2:
--------------------------------------------------------------------------------
1 | #
2 | # {{ansible_managed}}
3 | #
4 | /wikibounce-[\w.]+-\w+-\w+-\w...............@archlinux.org/ wiki_bouncehandler:
5 |
--------------------------------------------------------------------------------
/roles/postfix/templates/wiki-bouncehandler.conf.j2:
--------------------------------------------------------------------------------
1 | #
2 | # {{ansible_managed}}
3 | #
4 | [bot_credentials]
5 | username = {{wiki_bouncehandler_username}}
6 | password = {{wiki_bouncehandler_password}}
7 |
--------------------------------------------------------------------------------
/roles/postfix_null/defaults/main.yml:
--------------------------------------------------------------------------------
1 | postfix_relayhost: "mail.archlinux.org"
2 |
--------------------------------------------------------------------------------
/roles/postfix_null/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Reload postfix
2 | service: name=postfix state=reloaded
3 |
--------------------------------------------------------------------------------
/roles/postfix_null/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | description: postfix_null role
3 | standalone: false
4 |
5 | dependencies:
6 | - role: postfwd
7 | delegate_to: mail.archlinux.org
8 |
--------------------------------------------------------------------------------
/roles/postfix_null/templates/relay_passwords.j2:
--------------------------------------------------------------------------------
1 | #
2 | # {{ansible_managed}}
3 | #
4 | {{postfix_relayhost}} {{inventory_hostname_short}}:{{postfix_relay_password}}
5 |
--------------------------------------------------------------------------------
/roles/postfwd/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Reload postfwd
2 | service: name=postfwd state=reloaded
3 |
--------------------------------------------------------------------------------
/roles/postfwd/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Install postfwd
2 | pacman: name=postfwd state=present
3 |
4 | - name: Install postfwd.cf
5 | template: src=postfwd.cf.j2 dest=/etc/postfwd/postfwd.cf owner=postfwd group=root mode=0600
6 | notify:
7 | - Reload postfwd
8 |
9 | - name: Start and enable postfwd
10 | service: name=postfwd enabled=yes state=started
11 |
--------------------------------------------------------------------------------
/roles/postgres/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart postgres
2 | service: name=postgresql state=restarted
3 |
--------------------------------------------------------------------------------
/roles/postgres/templates/letsencrypt.hook.d.j2:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | test "$1" = renew || exit 0
4 |
5 | postgres_domain="{{ inventory_hostname }}"
6 |
7 | for domain in $RENEWED_DOMAINS; do
8 | case "$domain" in
9 | $postgres_domain)
10 | for pem in {privkey,fullchain,chain}.pem; do
11 | install -o postgres -g postgres -m 400 \
12 | /etc/letsencrypt/live/$postgres_domain/$pem \
13 | /var/lib/postgres/data/$pem
14 | done
15 | systemctl reload postgresql
16 | break
17 | ;;
18 | esac
19 | done
20 |
--------------------------------------------------------------------------------
/roles/prometheus/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Reload prometheus
2 | service: name=prometheus state=reloaded
3 |
4 | - name: Restart prometheus
5 | service: name=prometheus state=restarted
6 |
--------------------------------------------------------------------------------
/roles/prometheus/templates/prometheus.conf.j2:
--------------------------------------------------------------------------------
1 | {% if prometheus_receive_only %}
2 | PROMETHEUS_ARGS="--storage.tsdb.retention.time=365d --web.enable-remote-write-receiver --web.config.file=/etc/prometheus/web-config.yml --web.listen-address={{ wireguard_address }}:9090"
3 | {% else %}
4 | PROMETHEUS_ARGS="--storage.tsdb.retention.time=365d --web.enable-remote-write-receiver --web.listen-address=127.0.0.1:9090"
5 | {% endif %}
6 |
--------------------------------------------------------------------------------
/roles/prometheus/templates/web-config.yml.j2:
--------------------------------------------------------------------------------
1 | # Usernames and passwords required to connect to Prometheus.
2 | # Passwords are hashed with bcrypt: https://github.com/prometheus/exporter-toolkit/blob/46630604b0f1c5d64fbd3eb3010d91af38dc798b/docs/web-configuration.md#about-bcrypt
3 | basic_auth_users:
4 | {{ vault_prometheus_user }}: {{ vault_prometheus_passwd | password_hash('bcrypt') }}
5 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/defaults/main.yml:
--------------------------------------------------------------------------------
1 | prometheus_textfile_dir: /var/lib/node_exporter
2 |
3 | gitlab_runner_exporter_port: '9252'
4 |
5 | prometheus_mysqld_user: mysqld_exporter
6 | prometheus_mysqld_exporter_port: '9104'
7 |
8 | gitlab_exporter_top_nth: 15
9 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/files/gitlab-exporter.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Gitlab Exporter Timer
3 |
4 | [Timer]
5 | OnUnitActiveSec=10min
6 | OnBootSec=5min
7 | RandomizedDelaySec=1min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/files/sudoers:
--------------------------------------------------------------------------------
1 | Cmnd_Alias EXPORTER = /usr/bin/btrfs --format json device stats /, /usr/bin/btrfs --format json device stats /[a-zA-Z]*, /usr/bin/btrfs filesystem show
2 | node_exporter ALL=(ALL) NOPASSWD: EXPORTER
3 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Reload blackbox exporter
2 | service: name=prometheus-blackbox-exporter state=reloaded
3 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/templates/gitlab-exporter.conf.j2:
--------------------------------------------------------------------------------
1 | GITLAB_EXPORTER_GITLAB_TOKEN={{ vault_gitlab_gitlab_exporter_token }}
2 | GITLAB_EXPORTER_TOP_NTH={{ gitlab_exporter_top_nth }}
3 | GITLAB_EXPORTER_GITLAB_API_URL=https://gitlab.archlinux.org/api/graphql
4 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/templates/prometheus-arch-textcollector.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Prometheus Arch Exporter TextCollector Timer
3 |
4 | [Timer]
5 | OnUnitActiveSec=60m
6 | OnBootSec=15min
7 | RandomizedDelaySec=1min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/templates/prometheus-archive-textcollector.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Prometheus Archive Exporter TextCollector Timer
3 |
4 | [Timer]
5 | # 24 hours
6 | OnUnitActiveSec=1440m
7 | OnBootSec=15min
8 | RandomizedDelaySec=1min
9 |
10 | [Install]
11 | WantedBy=timers.target
12 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/templates/prometheus-btrfs-textcollector.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Prometheus btrfs Exporter
3 | Wants=network-online.target
4 | After=network-online.target
5 |
6 | [Service]
7 | Type=oneshot
8 | User=node_exporter
9 | ExecStart=/usr/local/bin/btrfs-textcollector.sh {{ prometheus_textfile_dir }}
10 |
11 | ReadWritePaths={{ prometheus_textfile_dir }}
12 | PrivateNetwork=true
13 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/templates/prometheus-btrfs-textcollector.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Prometheus Btrfs Exporter TextCollector Timer
3 |
4 | [Timer]
5 | OnUnitActiveSec=1d
6 | OnBootSec=15min
7 | RandomizedDelaySec=1min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/templates/prometheus-fail2ban-textcollector.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Prometheus Fail2ban Exporter TextCollector Timer
3 |
4 | [Timer]
5 | OnUnitActiveSec=10min
6 | OnBootSec=15min
7 | RandomizedDelaySec=1min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/templates/prometheus-fastly-textcollector.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Prometheus Fastly Exporter TextCollector Timer
3 |
4 | [Timer]
5 | OnUnitActiveSec=1h
6 | OnBootSec=15min
7 | RandomizedDelaySec=1h
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/templates/prometheus-hetzner-textcollector.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Prometheus Hetzner Exporter TextCollector Timer
3 |
4 | [Timer]
5 | OnUnitActiveSec=1h
6 | OnBootSec=15min
7 | RandomizedDelaySec=1min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/templates/prometheus-memcached-exporter.j2:
--------------------------------------------------------------------------------
1 | MEMCACHED_EXPORTER_ARGS="--memcached.address {{ memcached_socket }}"
2 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/templates/prometheus-mysqld-exporter.j2:
--------------------------------------------------------------------------------
1 | MYSQLD_EXPORTER_PASSWORD="{{ vault_monitoring_mysql_password }}"
2 | # TODO: review these settings
3 | MYSQLD_EXPORTER_ARGS="--collect.binlog_size --collect.info_schema.processlist --collect.info_schema.userstats --mysqld.username={{ prometheus_mysqld_user }}"
4 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/templates/prometheus-node-exporter.env.j2:
--------------------------------------------------------------------------------
1 | NODE_EXPORTER_ARGS="--collector.systemd --collector.textfile.directory={{ prometheus_textfile_dir }}"
2 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/templates/prometheus-rebuilderd-textcollector.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Prometheus Rebuilderd Exporter TextCollector Timer
3 |
4 | [Timer]
5 | OnUnitActiveSec=60m
6 | OnBootSec=15min
7 | RandomizedDelaySec=1min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/templates/prometheus-repository-textcollector.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Prometheus Arch Repository Exporter TextCollector Timer
3 |
4 | [Timer]
5 | # 24 hours
6 | OnUnitActiveSec=1440m
7 | OnBootSec=15min
8 | RandomizedDelaySec=1min
9 |
10 | [Install]
11 | WantedBy=timers.target
12 |
--------------------------------------------------------------------------------
/roles/prometheus_exporters/templates/prometheus-smart-textcollector.timer.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Prometheus Smart Exporter TextCollector Timer
3 |
4 | [Timer]
5 | OnUnitActiveSec=1h
6 | OnBootSec=15min
7 | RandomizedDelaySec=1min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/promtail/files/override.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | SupplementaryGroups=log
3 |
--------------------------------------------------------------------------------
/roles/promtail/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart promtail
2 | systemd_service: name=promtail daemon_reload=yes state=restarted
3 |
--------------------------------------------------------------------------------
/roles/public_html/files/generate-public_html.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Generate public_html files
3 | RequiresMountsFor=/srv/public_html
4 |
5 | [Service]
6 | Type=oneshot
7 | ExecStart=/usr/local/bin/generate-public_html
8 | Nice=19
9 | IOSchedulingClass=best-effort
10 | IOSchedulingPriority=7
11 |
12 | [Install]
13 | WantedBy=multi-user.target
14 |
--------------------------------------------------------------------------------
/roles/public_html/files/generate-public_html.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Daily creation of public_html files
3 |
4 | [Timer]
5 | OnCalendar=daily
6 | AccuracySec=24h
7 | Persistent=true
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/public_html/files/public_html/check_network_status.txt:
--------------------------------------------------------------------------------
1 | NetworkManager is online
2 |
--------------------------------------------------------------------------------
/roles/public_html/files/public_html/static/archnavbar/archlogo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/archlinux/infrastructure/91384906a4fc7b69f7b32c341cbbdf47a7f72b2c/roles/public_html/files/public_html/static/archnavbar/archlogo.png
--------------------------------------------------------------------------------
/roles/public_html/files/public_html/static/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/archlinux/infrastructure/91384906a4fc7b69f7b32c341cbbdf47a7f72b2c/roles/public_html/files/public_html/static/favicon.ico
--------------------------------------------------------------------------------
/roles/quassel/files/clean-quassel.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Clean up Quassel backlog
3 | Requisite=postgresql.service
4 | After=postgresql.service
5 |
6 | [Service]
7 | User=postgres
8 | Type=oneshot
9 | ExecStart=/usr/bin/psql -a -d quassel -c "DELETE FROM backlog WHERE time < NOW() - INTERVAL '1 months';"
10 | ExecStart=/usr/bin/psql -a -d quassel -c "VACUUM VERBOSE ANALYZE backlog;"
11 |
--------------------------------------------------------------------------------
/roles/quassel/files/clean-quassel.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Daily Quassel cleanup
3 |
4 | [Timer]
5 | OnCalendar=daily
6 | AccuracySec=24h
7 | Persistent=true
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/quassel/files/quassel.service.d:
--------------------------------------------------------------------------------
1 | [Service]
2 | ExecStart=
3 | ExecStart=/usr/bin/quasselcore --configdir=/var/lib/quassel --ident-daemon --ident-listen=::,0.0.0.0 --ident-port=113 --strict-ident --syslog --require-ssl
4 | AmbientCapabilities=CAP_NET_BIND_SERVICE
5 | PrivateTmp=yes
6 | NoNewPrivileges=yes
7 | ProtectSystem=full
8 | ProtectControlGroups=yes
9 | ProtectKernelModules=yes
10 | ProtectKernelTunables=yes
11 |
--------------------------------------------------------------------------------
/roles/quassel/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Daemon reload
2 | systemd_service: daemon_reload=yes
3 |
--------------------------------------------------------------------------------
/roles/quassel/templates/letsencrypt.hook.d.j2:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | test "$1" = renew || exit 0
4 |
5 | quassel_domain="{{ quassel_domain }}"
6 |
7 | for domain in $RENEWED_DOMAINS; do
8 | case "$domain" in
9 | $quassel_domain)
10 | cat /etc/letsencrypt/live/$quassel_domain/{privkey,fullchain}.pem |
11 | install -o root -g quassel -m 640 /dev/stdin /var/lib/quassel/quasselCert.pem
12 | systemctl restart quassel
13 | ;;
14 | esac
15 | done
16 |
--------------------------------------------------------------------------------
/roles/rebuilderd/defaults/main.yml:
--------------------------------------------------------------------------------
1 | rebuilderd_domain: reproducible.archlinux.org
2 | rebuilderd_nginx_conf: /etc/nginx/nginx.d/rebuilderd.conf
3 | rebuilder_website_loc: /usr/share/webapps/rebuilderd-website
4 |
5 | suites:
6 | - core
7 | - core-testing
8 | - extra
9 | - extra-testing
10 |
--------------------------------------------------------------------------------
/roles/rebuilderd/templates/rebuilderd.conf.j2:
--------------------------------------------------------------------------------
1 | [http]
2 | real_ip_header = "X-Real-IP"
3 |
4 | [worker]
5 | # set the generated secret for our workers here
6 | signup_secret = "{{ vault_rebuilderd_signup_secret }}"
7 |
8 | [schedule]
9 | # 1 week
10 | retry_delay_base = 168
11 |
--------------------------------------------------------------------------------
/roles/rebuilderd_worker/files/clean-repro:
--------------------------------------------------------------------------------
1 | #!/bin/bash -e
2 |
3 | # remove leftover chroots that are more than a week old
4 | find /var/lib/repro -maxdepth 1 -name '*?_?*' -mtime +6 -exec rm -rf {} +
5 |
6 | # clean the package cache but keep recently accessed files
7 | flock /var/lib/rebuilderd-worker/cache.lock \
8 | paccache -r -q -c /var/lib/rebuilderd-worker/cache --min-atime '2 weeks ago'
9 |
--------------------------------------------------------------------------------
/roles/rebuilderd_worker/files/clean-repro.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Clean up rebuilderd-worker chroots and cache
3 | ConditionPathExists=/var/lib/repro
4 | ConditionPathExists=/var/lib/rebuilderd-worker/cache
5 |
6 | [Service]
7 | Type=oneshot
8 | ExecStart=/usr/local/bin/clean-repro
9 | Nice=19
10 | IOSchedulingClass=best-effort
11 | IOSchedulingPriority=7
12 |
--------------------------------------------------------------------------------
/roles/rebuilderd_worker/files/clean-repro.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Daily rebuilderd-worker chroot and cache cleanup
3 |
4 | [Timer]
5 | OnCalendar=daily
6 | RandomizedDelaySec=12h
7 | Persistent=true
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/rebuilderd_worker/files/repro.conf:
--------------------------------------------------------------------------------
1 | NOCHECK=1
2 | CACHEDIR=/var/lib/rebuilderd-worker/cache
3 | MAX_MEMORY=32G
4 |
--------------------------------------------------------------------------------
/roles/rebuilderd_worker/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Daemon reload
2 | systemd_service:
3 | daemon-reload: true
4 |
--------------------------------------------------------------------------------
/roles/redirects/files/maps/cgit-migrated-repos.map:
--------------------------------------------------------------------------------
1 | /pacman.git https://gitlab.archlinux.org/pacman/pacman;
2 | /pacman-contrib.git https://gitlab.archlinux.org/pacman/pacman-contrib;
3 |
4 | /netctl.git https://gitlab.archlinux.org/archlinux/netctl;
5 | /mkinitcpio.git https://github.com/archlinux/mkinitcpio;
6 | /linux.git https://github.com/archlinux/linux;
7 |
--------------------------------------------------------------------------------
/roles/redirects/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Create ssl cert
2 | include_role:
3 | name: certificate
4 | vars:
5 | domains: ["{{ item.domain }}"]
6 | loop: "{{ redirects }}"
7 |
8 | - name: Make nginx log dir
9 | file: path=/var/log/nginx/{{ item.domain }} state=directory owner=root group=root mode=0755
10 | loop: "{{ redirects }}"
11 |
12 | - name: Set up nginx
13 | template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/redirects.conf" owner=root group=root mode=644
14 | notify: Reload nginx
15 | tags: ['nginx']
16 |
17 | - name: Copy nginx map files
18 | copy: src=maps dest=/etc/nginx/ owner=root group=root mode=0600
19 |
--------------------------------------------------------------------------------
/roles/root_ssh/defaults/main.yml:
--------------------------------------------------------------------------------
1 | root_ssh_directory: /root/.ssh
2 |
--------------------------------------------------------------------------------
/roles/root_ssh/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Create .ssh directory
2 | file: path={{ root_ssh_directory }} state=directory owner=root group=root mode=0700
3 |
4 | - name: Add authorized keys for root
5 | template: src=authorized_keys.j2 dest={{ root_ssh_directory }}/authorized_keys mode=0600 owner=root group=root
6 |
--------------------------------------------------------------------------------
/roles/rspamd/defaults/main.yml:
--------------------------------------------------------------------------------
1 | rspamd_dkim_use_esld: true
2 |
--------------------------------------------------------------------------------
/roles/rspamd/files/local.d/headers_group.conf:
--------------------------------------------------------------------------------
1 | # Spoofing reply-to has valid use cases, setting to 2.0 for pacman-dev
2 | # https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/395
3 |
4 | symbols = {
5 | "SPOOF_REPLYTO" {
6 | weight = 2.0;
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/roles/rspamd/files/local.d/logging.inc:
--------------------------------------------------------------------------------
1 | systemd = true;
2 | type = "console";
3 |
--------------------------------------------------------------------------------
/roles/rspamd/files/local.d/milter_headers.conf:
--------------------------------------------------------------------------------
1 | extended_spam_headers = true;
2 | use = ["authentication-results"];
3 | authenticated_headers = ["authentication-results"];
4 |
--------------------------------------------------------------------------------
/roles/rspamd/files/local.d/options.inc:
--------------------------------------------------------------------------------
1 | dns {
2 | nameserver = ["127.0.0.1:5353"];
3 | }
4 |
5 |
--------------------------------------------------------------------------------
/roles/rspamd/files/local.d/redis.conf:
--------------------------------------------------------------------------------
1 | write_servers = "127.0.0.1";
2 | read_servers = "127.0.0.1";
3 |
--------------------------------------------------------------------------------
/roles/rspamd/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Reload rspamd
2 | service: name=rspamd state=reloaded
3 |
--------------------------------------------------------------------------------
/roles/rspamd/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | description: rspamd role
3 | standalone: false
4 |
5 | dependencies:
6 | - role: valkey
7 |
--------------------------------------------------------------------------------
/roles/security_tracker/defaults/main.yml:
--------------------------------------------------------------------------------
1 | security_tracker_version: "0.14.5"
2 |
--------------------------------------------------------------------------------
/roles/security_tracker/files/security-tracker-update.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Security Tracker update service
3 |
4 | [Service]
5 | Type=oneshot
6 | User=security
7 | Group=security
8 | WorkingDirectory=/srv/http/security-tracker
9 | ExecStart=/usr/bin/make update
10 |
11 | NoNewPrivileges=yes
12 | ProtectSystem=full
13 | ProtectHome=true
14 | PrivateTmp=true
15 | PrivateDevices=true
16 | ProtectKernelTunables=true
17 | ProtectKernelModules=true
18 | ProtectControlGroups=true
19 |
20 | [Install]
21 | WantedBy=multi-user.target
22 |
--------------------------------------------------------------------------------
/roles/security_tracker/files/security-tracker-update.timer:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Security Tracker update timer
3 |
4 | [Timer]
5 | OnUnitActiveSec=5min
6 | OnBootSec=5min
7 | RandomizedDelaySec=1min
8 |
9 | [Install]
10 | WantedBy=timers.target
11 |
--------------------------------------------------------------------------------
/roles/security_tracker/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Upgrade database # noqa no-changed-when
2 | become: true
3 | become_user: security
4 | command: /usr/bin/make db-upgrade chdir="{{ security_tracker_dir }}"
5 | listen: Post security-tracker deploy
6 |
--------------------------------------------------------------------------------
/roles/security_tracker/templates/20-user.local.conf.j2:
--------------------------------------------------------------------------------
1 | [flask]
2 | secret_key = '{{ vault_security_tracker.secret_key }}'
3 |
4 | [sso]
5 | enabled = yes
6 | metadata_url = https://accounts.archlinux.org/realms/archlinux/.well-known/openid-configuration
7 | client_id = openid_security_tracker
8 | client_secret = {{ vault_security_tracker_openid_client_secret }}
9 | administrator_group = /Arch Linux Staff/Security Team/Admins
10 | security_team_group = /Arch Linux Staff/Security Team/Members
11 | reporter_group = /External Contributors/Security Team/Reporters
12 |
--------------------------------------------------------------------------------
/roles/security_tracker/templates/security-tracker.ini.j2:
--------------------------------------------------------------------------------
1 | [uwsgi]
2 | plugins=python
3 | chdir={{ security_tracker_dir }}
4 | module=tracker:create_app()
5 | socket=/run/uwsgi/security-tracker.sock
6 | chmod-socket=660
7 | processes=4
8 | threads=2
9 | master=true
10 | uid=security
11 | gid=http
12 | thunder-lock = true
13 | daemonize=/var/log/uwsgi/security.log
14 | stats=/run/uwsgi/security-tracker-stats.sock
15 |
--------------------------------------------------------------------------------
/roles/sshd/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart sshd
2 | service: name=sshd state=restarted
3 |
--------------------------------------------------------------------------------
/roles/sshd/templates/sshd_config.j2:
--------------------------------------------------------------------------------
1 | Port {{ sshd_port }}
2 | LogLevel VERBOSE
3 | PasswordAuthentication no
4 | ClientAliveInterval 30
5 |
6 | {% if 'buildservers' not in group_names %}
7 | AllowAgentForwarding no
8 | AllowTcpForwarding no
9 | {% else %}
10 | Match User root
11 | AllowAgentForwarding no
12 | AllowTcpForwarding no
13 | {% endif %}
14 |
15 | # unlink forwarded sockets; for gpg agent forwarding
16 | StreamLocalBindUnlink yes
17 |
18 | # accept environment variables for user's color, language/locale
19 | # and timezone settings
20 | AcceptEnv COLORFGBG
21 | AcceptEnv LANG
22 | AcceptEnv LC_*
23 | AcceptEnv TZ
24 |
--------------------------------------------------------------------------------
/roles/sudo/defaults/main.yml:
--------------------------------------------------------------------------------
1 | sudo_users:
2 | - root
3 |
--------------------------------------------------------------------------------
/roles/syncrepo/files/rsyncd.conf:
--------------------------------------------------------------------------------
1 | use chroot = no
2 | max connections = 200
3 | syslog facility = local5
4 |
5 | [packages]
6 | path = /srv/ftp
7 | comment = archlinux packages mirror
8 | exclude = /*-debug/ /pool/*-debug/
9 |
--------------------------------------------------------------------------------
/roles/tempo/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart tempo
2 | service: name=tempo state=restarted
3 |
--------------------------------------------------------------------------------
/roles/terraform_state/defaults/main.yml:
--------------------------------------------------------------------------------
1 | terraform_db_user: "terraform"
2 | terraform_db: "terraform"
3 |
--------------------------------------------------------------------------------
/roles/terraform_state/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Create terraform state db
2 | postgresql_db: db="{{ terraform_db }}"
3 | become: true
4 | become_user: postgres
5 | become_method: ansible.builtin.su
6 |
7 | - name: Create terraform state db user
8 | postgresql_user:
9 | name: "{{ terraform_db_user }}"
10 | db: "{{ terraform_db }}"
11 | password: "{{ vault_terraform_db_password }}"
12 | encrypted: true
13 | priv: "ALL"
14 | become: true
15 | become_user: postgres
16 | become_method: ansible.builtin.su
17 |
--------------------------------------------------------------------------------
/roles/tools/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Install misc utils
2 | pacman:
3 | state: present
4 | name:
5 | - zsh
6 | - fish
7 | - git
8 | - parallel
9 | - nnn # Added for it's screen reader support
10 |
11 | - name: Install extra utils
12 | pacman: state=present name={{ extra_utils }}
13 | when: extra_utils is defined
14 |
--------------------------------------------------------------------------------
/roles/unbound/defaults/main.yml:
--------------------------------------------------------------------------------
1 | unbound_port: 53
2 |
--------------------------------------------------------------------------------
/roles/unbound/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart unbound
2 | service: name=unbound state=restarted
3 |
--------------------------------------------------------------------------------
/roles/unbound/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Install unbound
2 | pacman: name=unbound
3 |
4 | - name: Install unbound config file
5 | template: src=unbound.conf.j2 dest=/etc/unbound/unbound.conf owner=root group=root mode=0644
6 | notify:
7 | - Restart unbound
8 |
9 | - name: Create remote-control keys
10 | command: unbound-control-setup creates=/etc/unbound/unbound_control.key
11 |
12 | - name: Active service
13 | service: name=unbound state=started enabled=yes
14 |
--------------------------------------------------------------------------------
/roles/unbound/templates/unbound.conf.j2:
--------------------------------------------------------------------------------
1 | server:
2 | use-syslog: yes
3 | do-daemonize: no
4 | username: "unbound"
5 | directory: "/etc/unbound"
6 | verbosity: 1
7 | port: {{ unbound_port }}
8 | trust-anchor-file: trusted-key.key
9 |
10 | remote-control:
11 | control-enable: yes
12 |
--------------------------------------------------------------------------------
/roles/uwsgi/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: Restart emperor.uwsgi
2 | service: name=emperor.uwsgi state=restarted
3 |
--------------------------------------------------------------------------------
/roles/uwsgi/templates/emperor.ini.j2:
--------------------------------------------------------------------------------
1 | [uwsgi]
2 | emperor = /etc/uwsgi/vassals
3 | uid = uwsgi
4 | gid = uwsgi
5 | emperor-tyrant = true
6 | cap = setgid,setuid
7 |
--------------------------------------------------------------------------------
/roles/valkey/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Install valkey
2 | pacman: name=valkey state=present
3 |
4 | - name: Start and enable valkey
5 | service: name=valkey enabled=yes state=started
6 |
--------------------------------------------------------------------------------
/roles/wireguard/handlers/main.yml:
--------------------------------------------------------------------------------
1 | # https://github.com/systemd/systemd/issues/9627
2 | - name: Delete wg0 # noqa no-changed-when
3 | command: networkctl delete wg0
4 | register: result
5 | failed_when: result.rc not in [0, 1]
6 | listen: Reload wireguard
7 |
8 | - name: Reload .network and .netdev files # noqa no-changed-when
9 | command: networkctl reload
10 | listen: Reload wireguard
11 |
--------------------------------------------------------------------------------
/roles/wireguard/templates/wg0.netdev.j2:
--------------------------------------------------------------------------------
1 | [NetDev]
2 | Name=wg0
3 | Kind=wireguard
4 |
5 | [WireGuard]
6 | ListenPort=51820
7 | PrivateKey=@network.wireguard.private.wg0
8 |
9 | {% for host in groups['all'] if host != inventory_hostname %}
10 | [WireGuardPeer]
11 | PublicKey={{ hostvars[host]['wireguard_public_key'] }}
12 | AllowedIPs={{ hostvars[host]['wireguard_address'] }}/32
13 | Endpoint={{ host }}:51820
14 |
15 | {% endfor %}
16 |
--------------------------------------------------------------------------------
/roles/wireguard/templates/wg0.network.j2:
--------------------------------------------------------------------------------
1 | [Match]
2 | Name=wg0
3 |
4 | [Network]
5 | Address={{ wireguard_address }}/24
6 |
--------------------------------------------------------------------------------
/tf-stage1/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_providers {
3 | external = {
4 | source = "hashicorp/external"
5 | }
6 | hcloud = {
7 | source = "hetznercloud/hcloud"
8 | }
9 | hetznerdns = {
10 | source = "timohirt/hetznerdns"
11 | }
12 | }
13 | required_version = ">= 0.13"
14 | }
15 |
--------------------------------------------------------------------------------
/tf-stage2/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_providers {
3 | external = {
4 | source = "hashicorp/external"
5 | }
6 | keycloak = {
7 | source = "mrparkers/keycloak"
8 | }
9 | uptimerobot = {
10 | source = "vexxhost/uptimerobot"
11 | }
12 | }
13 | required_version = ">= 0.13"
14 | }
15 |
--------------------------------------------------------------------------------