Useful if we wanted to create a Geo-based archive consisting of machines
in the archive_mirrors group (though this will likely not happen because
it'd break archlinux-repro due to the ~4 hour sync delay).
anthraxx wants some infra for a repos-git POC, so let's give it to him!
The server has been configured with the common and firewalld role, but
is unmanaged.
We want non-DevOps to be able to deploy project documentation (ex:
repod) with GitLab Pages and a separate domain was considered the only
sensible solution due to security issues[1].
[1] https://github.blog/2013-04-09-yummy-cookies-across-domains/
asia.mirror.pkgbuild.com has been offline for 12 days so far while we
wait for a NIC replacement. Should have taken it out of DNS NS duties
earlier but better late than never.
Ansible side of commit 5007c1a85e ("tf-stage1: allow setting the NS
TTL of geo domains"); both values need to match so our geo nameservers
report the same TTL as that returned by the parent zone's nameservers.
We don't want mirror.pkgbuild.com's DNS server to be a
single-point-of-failure, so this commit adds multiple authoritative DNS
servers for the zone. The extra DNS servers are run on the geomirror
servers.
The _acme-challenge zone, used for obtaining certificates, is run solely
on mirror.pkgbuild.com's DNS server, to avoid syncing DNS records
between the servers (KISS).
We had a GeoIP mirror in the past based on nginx and its GeoIP module,
but it didn't perform very well, due to the high latency (asking a
central server for the package and then redirected to the closest
mirror).
One of the reasons for offering this service, is so we can relieve
mirror.pkgbuild.com which is burning a ton of traffic (50TB/month),
likely due to it being the default mirror in our Docker image. Another
reason is so we can offer a link to our arch-boxes images in libosinfo
(used by gnome-boxes, virt-install and virt-manager), with good enough
performance for most users.
This time we take a different approach and use a DNS based solution,
which means the latency penalty is only paid once (the first DNS
request). The downside is that the mirrors must have a valid certificate
for the same domain name, which makes using third-party mirrors a
challenge. So for now, we are just using the sponsored mirorrs
controlled by the DevOps team.
Fix #101
Almost all of our DNS records have a TTL of 86400 (24 hours) with a few
using a TTL of 600 (some MX and TXT records). The former is too long to
be flexible when a need for fast change(s) arises, and the latter don't
benefit from the low TTL. Standardize on a TTL of 3600 (1 hour) for all
our records.
Follow-up to [1]; while most of our cloud servers are in Helsinki, the
latency from most of Europe is lower when accessing servers in Germany.
Pinging from multiple locations using ping.pe, the latency to Nuremberg
from most locations appears to be 10-20ms lower (compared to Helsinki).
[1] https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/500
With Hetzner now having a datacenter in the US[1], we don't want to
accidentally create a server in the US, so let's always create them in
Helsinki where most of our cloud servers are.
[1] https://www.hetzner.com/news/11-21-usa-cloud/
Archiving arch-commits mails maxes out the single vCPU of CX11 and
results in High CPU Prometheus alert. If we decide not to maintain
mail archive for arch-commits, then we can likely scale back down.