Kristian Klausen
a9d48ad8ed
mta_sts: Use CRLF line terminators per the RFC[1]
...
[1] https://datatracker.ietf.org/doc/html/rfc8461#section-3.2
2022-05-16 22:46:01 +02:00
Kristian Klausen
eac26bfc98
Bump MTA STS id to invalid cache
...
Fixes: 0b87cbfd
("mta_sts: Switch to enforce mode and bump max_age to 30 days")
2022-05-16 22:45:58 +02:00
Evangelos Foutras
733a2133b5
geo_dns: add option to set NS TTL for geo domains
...
Ansible side of commit 5007c1a85e
("tf-stage1: allow setting the NS
TTL of geo domains"); both values need to match so our geo nameservers
report the same TTL as that returned by the parent zone's nameservers.
2022-05-16 15:46:43 +03:00
Evangelos Foutras
5007c1a85e
tf-stage1: allow setting the NS TTL of geo domains
...
When adding a new geo domain or doing other testing, we would want to
use a low TTL to allow for making quick changes to the configuration.
2022-05-16 14:20:55 +03:00
Evangelos Foutras
7944981197
tf-stage1: use template for geo domains NS records
2022-05-14 14:20:43 +03:00
Kristian Klausen
37fb120aa8
Provision server for buildbot POC
...
Foxboron wants some infra for a buildbot POC, so let's give it to him!
The server has been configured with the common and firewalld role.
2022-05-12 22:27:00 +02:00
Evangelos Foutras
b4d60ae2f6
Move highly sensitive secrets to new "super" vault
...
The idea bebind this is to be able to give vault access to new DevOps
members without giving away more important credentials like Hetzner's.
2022-05-07 17:45:19 +03:00
Evangelos Foutras
6878066d91
geomirror: bump TTL to 86400 for NS records
...
In an effort to stay consistent with the TTL used for the archlinux.org
and pkgbuild.com NS records, as well as slightly improve lookup latency.
2022-04-29 20:38:15 +03:00
Evangelos Foutras
60fb4494fa
tf-stage1: version bump of terraform providers
...
New hcloud adds protection fields to servers, volumes and floating IPs.
2022-04-23 03:28:28 +03:00
Evangelos Foutras
17024ba287
Remove gitlab volume
...
/srv/gitlab has been moved to local (NVMe SSD) storage; hopefully it
won't grow too large and thus require transferring back to a volume.
2022-04-19 11:44:12 +03:00
Kristian Klausen
aa359082aa
Avoid single point-of-failure for our GeoIP domain
...
We don't want mirror.pkgbuild.com's DNS server to be a
single-point-of-failure, so this commit adds multiple authoritative DNS
servers for the zone. The extra DNS servers are run on the geomirror
servers.
The _acme-challenge zone, used for obtaining certificates, is run solely
on mirror.pkgbuild.com's DNS server, to avoid syncing DNS records
between the servers (KISS).
2022-04-15 19:43:33 +02:00
Kristian Klausen
9f65f99c6b
Add GeoIP domain for our sponsored mirros
...
We had a GeoIP mirror in the past based on nginx and its GeoIP module,
but it didn't perform very well, due to the high latency (asking a
central server for the package and then redirected to the closest
mirror).
One of the reasons for offering this service, is so we can relieve
mirror.pkgbuild.com which is burning a ton of traffic (50TB/month),
likely due to it being the default mirror in our Docker image. Another
reason is so we can offer a link to our arch-boxes images in libosinfo
(used by gnome-boxes, virt-install and virt-manager), with good enough
performance for most users.
This time we take a different approach and use a DNS based solution,
which means the latency penalty is only paid once (the first DNS
request). The downside is that the mirrors must have a valid certificate
for the same domain name, which makes using third-party mirrors a
challenge. So for now, we are just using the sponsored mirorrs
controlled by the DevOps team.
Fix #101
2022-04-13 03:10:09 +02:00
Evangelos Foutras
8838470cf5
Shrink debuginfod volume from 100G to 25G
...
This hasn't seen much growth in the past two months and is chilling
around 13G. We can easily bump it once we have more debug packages.
2022-04-11 20:42:46 +03:00
Kristian Klausen
af5d4b845e
Decommission aur-dev
...
With the PHP->Python port done[1][2], there isn't much need for aur-dev
anynmore. Most things can also be tested locally and aur-dev haven't got
any love since the port (ex: allowing the aurweb maintainers to deploy
without asking DevOps).
[1] https://lists.archlinux.org/pipermail/aur-general/2022-February/036786.html
[2] https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/525
2022-04-11 14:55:53 +02:00
Evangelos Foutras
e680dc3b75
tf-stage1: bump TTL to 86400 for NS records
...
The default TTL of 3600 seems a bit short for these.
2022-03-14 08:12:33 +02:00
Evangelos Foutras
2d1e9b57c0
tf-stage1: standardize on TTL 3600 for DNS records
...
Almost all of our DNS records have a TTL of 86400 (24 hours) with a few
using a TTL of 600 (some MX and TXT records). The former is too long to
be flexible when a need for fast change(s) arises, and the latter don't
benefit from the low TTL. Standardize on a TTL of 3600 (1 hour) for all
our records.
2022-03-13 20:18:06 +02:00
Evangelos Foutras
33cb9134dd
Resize gitlab volume from 250G to 200G
...
250 is not a nice round number, whereas 200 is.
2022-03-05 09:35:00 +02:00
Evangelos Foutras
e3d555851c
Revert "Add GitLab Pages for btw[1]"
...
This reverts commit c8d1a39af2
2022-02-26 15:41:56 +00:00
Kristian Klausen
c8d1a39af2
Add GitLab Pages for btw[1]
...
[1] https://gitlab.archlinux.org/archlinux/btw
2022-02-23 17:13:55 +01:00
Evangelos Foutras
87815d037c
Rescale gitlab from cx51 to cpx41
...
Better bang for buck; unfortunately it doesn't seem any faster.
2022-02-06 23:43:30 +02:00
Evangelos Foutras
e407f83e3a
Resize gitlab volume to 250G
2022-02-06 23:13:20 +02:00
Kristian Klausen
9a7483832c
Provision debuginfod server
2022-02-04 21:13:19 +00:00
Jelle van der Waa
d88c0b953e
Initialize gluebuddy host
2022-01-21 10:30:05 +01:00
Jan Alexander Steffens (heftig)
c0771b57ff
Remove _matrix._tcp.archlinux.org SRV record
...
The `https://archlinux.org/.well-known/matrix/server ` response is used
over the SRV record in all cases. We haven't been listening on 8448
since e9e4c11444
(June 2019).
2021-12-10 18:23:23 +01:00
Sven-Hendrik Haase
d0de4aa30a
Resize aur-dev as it was apparently too small before
2021-12-05 02:02:17 +01:00
Kristian Klausen
1e52140929
Increase the volume size (150->200GiB) for monitoring.al.org
...
With Loki needing roughly 108GiB[1] and Prometheus at least[2]
116GiB[3], 200GiB sounds like a good starting point.
[1] increase(loki_ingester_chunk_stored_bytes_total[1w]) / 7 * 90
[2] https://www.robustperception.io/how-much-disk-space-do-prometheus-blocks-use
[3] (rate(prometheus_tsdb_compaction_chunk_size_bytes_sum[1w]) /
rate(prometheus_tsdb_compaction_chunk_samples_sum[1w])) *
increase(prometheus_tsdb_head_samples_appended_total[1w]) / 7 * 365
2021-10-08 17:47:52 +02:00
Kristian Klausen
d7d4ecbce1
Add GitLab Pages for "Service Agreements"
...
Ref: https://gitlab.archlinux.org/archlinux/service-agreements/-/merge_requests/16
2021-08-22 13:13:36 +02:00
Jelle van der Waa
9f54f8e07b
Add reproducible-notes for hosting packages.json
...
This subdomain hosts gitlab CI produced and updated notes for
unreproducible packages.
2021-07-31 15:46:35 +02:00
Evangelos Foutras
5ece8b98c2
Scale up lists to CPX11
...
Archiving arch-commits mails maxes out the single vCPU of CX11 and
results in High CPU Prometheus alert. If we decide not to maintain
mail archive for arch-commits, then we can likely scale back down.
2021-07-24 14:13:26 +03:00
Kristian Klausen
3ba230b17c
Replace runner1 with a new bigger box
...
CPU: Intel Xeon E5-2620 -> E-2288G
Disk: 2x~1TB -> 2x~500GB
2021-07-21 00:40:59 +02:00
Jelle van der Waa
373d4918cd
Add redirects for git.archlinux.org using a map
2021-07-14 20:03:54 +02:00
Evangelos Foutras
faba3a3d7c
misc/get_key.py: load vault file without chdir'ing
...
Now that misc/get_key.py checks if the vault file passed to it exists,
we cannot pass paths only resolvable from the root directory. Instead,
use paths that make sense relative to the current directory and avoid
calling chdir when loading the vault file.
Fixes: 7754214604
("Rewrite get_key.py to use click instead of typer")
2021-07-07 15:18:41 +03:00
Evangelos Foutras
9c2ca6851c
tf-stage1: Update commented out SOA entries
2021-07-07 13:40:59 +03:00
Thorben Günther
98f72a541a
tf-stage1: Update nameservers
...
Closes #207
2021-07-07 11:11:35 +02:00
Kristian Klausen
032763987c
Send promtail logs and scrap its metrics over WireGuard
2021-07-06 22:21:41 +00:00
Kristian Klausen
79f7d59910
Goodbye luna
...
https://lists.archlinux.org/pipermail/arch-dev-public/2021-July/030471.html
Fix #86
2021-07-04 12:46:01 +00:00
Kristian Klausen
06d4826aac
Make the lists.al.org VPS the new lists server
...
Fix #356
2021-06-30 09:30:31 +00:00
Kristian Klausen
41c5a5e26c
Add initial playbook for lists.archlinux.org
...
nginx, certbot, postfix and mailman are still missing and the DNS is
still pointing to luna.
2021-06-30 09:30:31 +00:00
Kristian Klausen
1ed1ee0f34
Increase the volume size (100->150GB) for monitoring.al.org
...
Loki is using a lot of storage (~8GB per week).
2021-06-23 15:59:19 +02:00
Kristian Klausen
d4206f7762
Create a redirect for the CoC
...
Fix #354
2021-06-16 00:28:16 +00:00
Kristian Klausen
db1ccafcf1
Remove removed svn2gittest.archlinux.org machine
2021-06-09 12:09:20 +02:00
Sven-Hendrik Haase
d2b110d250
Add dashboards.archlinux.org for public Grafana dashboards
...
Co-authored-by: Kristian Klausen <kristian@klausen.dk>
2021-05-13 23:28:01 +02:00
Jelle van der Waa
723f147129
Add tu bylaws website domain
...
The TU Bylaws is currently deployed as part of the aurweb role which
makes it more work for devops and with gitlab pages TU's can deploy it
themself.
2021-05-08 21:24:53 +02:00
Jelle van der Waa
889ecc98df
Add openpgpkey.master-key domain
...
The WKD setup for master-key.archlinux.org requires this domain to
obtain the master keys via WKD. As WKD falls back to archlinux.org which
contains no .well-known/openpgpkey entry.
2021-04-27 22:30:51 +02:00
Sven-Hendrik Haase
147003aac1
Increase monitoring.archlinux.org from cx21 to cx31
2021-04-27 02:28:11 +02:00
Jelle van der Waa
29ed9fa602
Update whatcanidofor verification code
2021-04-22 20:49:07 +02:00
Daniel M. Capella
3c9d2abc8e
Fix asknot domain
...
Eg. https://whatcanidoforfedora.org/ and
https://whatcanidoformozilla.org/ . Mea culpa.
2021-04-19 14:52:25 -04:00
Jelle van der Waa
67aeede014
resize monitoring for loki
...
Loki keeps logs it returns in ram, resulting in the oom killer on 2GB's
of ram.
2021-04-08 23:11:38 +02:00
Kristian Klausen
a5da021b56
Setup Pages for new bugs.archlinux.org snapshot service[1]
...
Fix #303
[1] https://gitlab.archlinux.org/archlinux/archlinux-bugs-snapshotter
2021-04-05 07:43:02 +02:00
Sven-Hendrik Haase
8100dcc85e
Add logging CNAME to monitoring
...
This allows us to get proper certificates for loki which will run on logging.archlinux.org
on the same machine as monitoring.archlinux.org.
2021-03-29 02:31:42 +02:00