infrastructure/roles/dbscripts/templates/rsyncd.conf.proto.j2

# DO NOT CHANGE rsync.conf, CHANGE rsync.conf.proto INSTEAD!
# Hosts are managed by archweb, talk to someone that has permission to
# play with mirrors to get new IP addresses added.

use chroot = no
max connections = 12
lock file = /var/run/rsyncd/main.lock
syslog facility = local5
pid file = /var/run/rsyncd.pid
#transfer logging = yes
transfer logging = no
motd file = /etc/rsyncd.motd
timeout = 600

# ALLOW ONLY TIERED MIRRORS
# This effectively disables all sections but *_tier1 and *_auth
# We keep the configuration around in case we need to revert again
hosts allow = 127.0.0.1

# DENY THE REST
hosts deny = *

{% if 'archive_mirrors' in groups %}
[archive]
	path = /srv/archive
	comment = archive
	hosts allow = {{ groups['archive_mirrors'] | map('extract', hostvars, ['ipv4_address']) | join(' ') }} {{ groups['archive_mirrors'] | map('extract', hostvars, ['ipv6_address']) | join(' ') }}
{% endif %}

# Just the release/stable iso/packages (for most mirrors)
[ftp]
	path = /srv/ftp
	comment = ftp area (most mirrors should use this)
	exclude = /archive/ /other/ /sources/ /*-debug/ /pool/*-debug/

[ftp_tier1]
	path = /srv/ftp
	comment = ftp area (most mirrors should use this)
	exclude = /archive/ /other/ /sources/ /*-debug/ /pool/*-debug/
	hosts allow = @@ALLOWHOSTS_TIER1@@
	max connections = 0

[ftp_auth]
	path = /srv/ftp
	comment = ftp area, passworded (same as 'ftp')
	exclude = /archive/ /other/ /sources/ /*-debug/ /pool/*-debug/
	hosts allow = *
	auth users = *
	secrets file = /etc/rsyncd.secrets
	max connections = 0

# The whole she-bang, except /sources
[ftpfull]
	path = /srv/ftp
	comment = ftp area (everything, including very old versions, except sources)
	exclude = /sources/

[ftpfull_tier1]
	path = /srv/ftp
	comment = ftp area (everything, including very old versions, except sources)
	exclude = /sources/
	hosts allow = @@ALLOWHOSTS_TIER1@@
	max connections = 0

[ftpfull_auth]
	path = /srv/ftp
	comment = ftp area (everything, including very old versions, except sources)
	exclude = /sources/
	hosts allow = *
	auth users = *
	secrets file = /etc/rsyncd.secrets
	max connections = 0

# The whole she-bang
[kitchensink]
	path = /srv/ftp
	comment = ftp area (everything, including very old versions)
	hosts allow = {{ hostvars['archlinux.org']['ipv4_address'] }} {{ hostvars['archlinux.org']['ipv6_address'] }}

[kitchensink_tier1]
	path = /srv/ftp
	comment = ftp area (everything, including very old versions)
	hosts allow = @@ALLOWHOSTS_TIER1@@ {{ hostvars['gemini.archlinux.org']['ipv4_address'] }} {{ hostvars['gemini.archlinux.org']['ipv6_address'] }} {{ hostvars['repos.archlinux.org']['ipv4_address'] }} {{ hostvars['repos.archlinux.org']['ipv6_address'] }}
	max connections = 0

[kitchensink_auth]
	path = /srv/ftp
	comment = ftp area (everything, including very old versions)
	hosts allow = *
	auth users = *
	secrets file = /etc/rsyncd.secrets
	max connections = 0

# Debug repositories
[debug_packages]
	path = /srv/ftp
	comment =  debug packages
	exclude = *
	include = /*-debug/*** /pool /pool/*-debug/***
	hosts allow = {{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | join(' ') }} {{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | join(' ') }} {{ hostvars['debuginfod.archlinux.org']['ipv4_address'] }} {{ hostvars['debuginfod.archlinux.org']['ipv6_address'] }}
	max connections = 0

# Individual repositories
[core]
	path = /srv/ftp/core
	comment = core repository

[core-testing]
	path = /srv/ftp/core-testing
	comment = core-testing repository

[extra]
	path = /srv/ftp/extra
	comment = extra repository

[extra-testing]
	path = /srv/ftp/extra-testing
	comment = extra-testing repository