Add ALHP and Private support with Caching

plays/baseline.yaml

@@ -1,6 +1,6 @@
 ---
 - name: Baseline all hosts
-  hosts: all
+  hosts: all:!remote
   become: true
   become_user: root
   roles:

plays/upgrade.yaml

@@ -11,7 +11,13 @@
   become: true
   become_user: root
   tasks:
-    - name: Upgrade all avilable packages
+    - name: Upgrade the keyrings first
+      community.general.pacman:
+        name:
+          - archlinux-keyring
+          - alhp-keyring
+        state: latest
+    - name: Upgrade all available packages
       community.general.pacman:
         upgrade: true
   tags:
@@ -22,7 +28,13 @@
   become: true
   become_user: root
   tasks:
-    - name: Upgrade all avilable packages
+    - name: Upgrade the keyrings first
+      community.general.pacman:
+        name:
+          - archlinux-keyring
+          - alhp-keyring
+        state: latest
+    - name: Upgrade all available packages
       community.general.pacman:
         upgrade: true
   tags:

roles/cache/defaults/main.yaml

@@ -15,16 +15,38 @@ cache_repos:
       hostname: mirrors.ukfast.co.uk
       prefix: /sites/archlinux.org
     valid: 4w
+  - name: extra
+    upstream:
+      hostname: mirrors.ukfast.co.uk
+      prefix: /sites/archlinux.org
+    valid: 4w
   - name: community
     upstream:
       hostname: mirrors.ukfast.co.uk
       prefix: /sites/archlinux.org
     valid: 4w
-  - name: extra
+  - name: multilib
     upstream:
       hostname: mirrors.ukfast.co.uk
       prefix: /sites/archlinux.org
     valid: 4w
+
+  - name: core-x86-64-v3
+    upstream:
+      scheme: https
+      hostname: alhp.krautflare.de
+    valid: 4w
+  - name: extra-x86-64-v3
+    upstream:
+      scheme: https
+      hostname: alhp.krautflare.de
+    valid: 4w
+  - name: multilib-x86-64-v3
+    upstream:
+      scheme: https
+      hostname: alhp.krautflare.de
+    valid: 4w
+
   - name: private
     upstream:
       scheme: https

roles/cache/templates/cache.conf.jinja

@@ -69,6 +69,12 @@ server {
   # locally, allow it to be served locally, even when the file is stale
   proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
 
+  # Ensure we send the hostname to the upstream server and improve the TLS
+  # settings to ensure we use the latest protocols and re-use sessions for speed
+  proxy_ssl_server_name on;
+  proxy_ssl_protocols  TLSv1.2 TLSv1.3;
+  proxy_ssl_session_reuse on;
+
   # Add some cache status headers for debugging purposes, you can remove these lines if you want
   add_header X-Upstream-Status $upstream_status;
   add_header X-Cache-Status $upstream_cache_status;
@@ -79,14 +85,17 @@ server {
     rewrite /(.*)$ {{ repo.upstream.prefix }}/$1 break;
 {% endif %}
     proxy_pass {{ repo.upstream.scheme | default('http') }}://{{ repo.upstream.hostname }};
+    proxy_ssl_name {{ repo.upstream.hostname }};
     proxy_cache repositories;
     proxy_cache_valid 200 5m;
 
+
     location ~ \.pkg\.tar\.zst(\.sig)?$ {
 {% if repo.upstream.prefix is defined %}
       rewrite /(.*)$ {{ repo.upstream.prefix }}/$1 break;
 {% endif %}
       proxy_pass {{ repo.upstream.scheme | default('http') }}://{{ repo.upstream.hostname }};
+      proxy_ssl_name {{ repo.upstream.hostname }};
       proxy_cache repositories;
       proxy_cache_valid 200 {{ repo.valid | default('13w') }};
     }

roles/pacman/files/alhp

@@ -0,0 +1,10 @@
+#  DO NOT EDIT - Managed by Ansible
+
+# Use the three CNAMEs for cache-01.s.cym-south-1.kube.uk to allow three tries
+# against the same server in the event of network or protocol errors when
+# requesting databases or packages for all configured Arch Linux repositories
+Server = http://1.cache.s.cym-south-1.kub3.uk/$repo/os/$arch
+Server = http://2.cache.s.cym-south-1.kub3.uk/$repo/os/$arch
+Server = http://3.cache.s.cym-south-1.kub3.uk/$repo/os/$arch
+# This is a fall-back server in case the above do not work
+Server = https://alhp.krautflare.de/$repo/os/$arch/

roles/pacman/files/private

@@ -0,0 +1,10 @@
+#  DO NOT EDIT - Managed by Ansible
+
+# Use the three CNAMEs for cache-01.s.cym-south-1.kube.uk to allow three tries
+# against the same server in the event of network or protocol errors when
+# requesting databases or packages for all configured Arch Linux repositories
+Server = http://1.cache.s.cym-south-1.kub3.uk/$repo/os/$arch
+Server = http://2.cache.s.cym-south-1.kub3.uk/$repo/os/$arch
+Server = http://3.cache.s.cym-south-1.kub3.uk/$repo/os/$arch
+# This is a fall-back server in case the above do not work
+Server = https://repo.nwk.io/private

roles/pacman/handlers/main.yaml

@@ -1,6 +1,6 @@
 ---
 # handlers file for pacman
 
-- name: Refresh the pacman databases locally
+- name: Refresh the pacman databases
   community.general.pacman:
     update_cache: true

roles/pacman/tasks/main.yaml

@@ -6,15 +6,27 @@
     msg: This role does not support being run when bootstrapping hosts. Failing.
   when: bootstrap_mount_base | default('') | length
 
+- name: Check for the existance of the ALHP mirror file
+  ansible.builtin.stat:
+    path: /etc/pacman.d/alhp
+  register: alhp
+
 - name: Configure the mirrorlist
   ansible.builtin.copy:
-    src: mirrorlist
-    dest: /etc/pacman.d/mirrorlist
+    src: "{{ list }}"
+    dest: "/etc/pacman.d/{{ list }}"
     owner: root
     group: root
     mode: u=rw,g=r,o=r
   notify:
-    - Refresh the pacman databases locally
+    - Refresh the pacman databases
+  loop:
+    - arch
+    - alhp
+    - private
+  loop_control:
+    label: "/etc/pacman.d/{{ list }}"
+    loop_var: list
   tags:
     - pacman
     - configuraton
@@ -26,11 +38,44 @@
     owner: root
     group: root
     mode: u=rw,g=r,o=r
+  vars:
+    pacman_alhp_enable: false
+  when: not alhp.stat.exists
+  tags:
+    - pacman
+    - configuraton
+
+- name: Update the pacman databases
+  community.general.pacman:
+    update_cache: true
+  when: not alhp.stat.exists
+
+# We always need to ensure that all keyrings are up-to-date or validation of any
+# downloaded packages may fail before the keyring is updated
+- name: Ensure all keyrings are upgraded
+  community.general.pacman:
+    name: "{{ pacman_keyrings }}"
+    state: latest
+
+- name: Configure pacman.conf
+  ansible.builtin.template:
+    src: pacman.conf.jinja
+    dest: /etc/pacman.conf
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  vars:
+    pacman_alhp_enable: true
   notify:
-    - Refresh the pacman databases locally
+    - Refresh the pacman databases
   tags:
     - pacman
     - configuraton
 
 - name: Refresh the handlers for pacman
   ansible.builtin.meta: flush_handlers
+
+- name: Install pacman hooks
+  community.general.pacman:
+    name: "{{ pacman_hooks }}"
+    state: latest

roles/pacman/templates/pacman.conf.jinja

@@ -17,17 +17,25 @@ ParallelDownloads = 5
 
 SigLevel = Required DatabaseOptional
 LocalFileSigLevel = Optional
-# RemoteFileSigLevel = Required
+RemoteFileSigLevel = Required
 
+{% if pacman_alhp_enable %}
+[core-x86-64-v3]
+Include = /etc/pacman.d/alhp
+
+[extra-x86-64-v3]
+Include = /etc/pacman.d/alhp
+
+{% endif %}
 [core]
-Include = /etc/pacman.d/mirrorlist
+Include = /etc/pacman.d/arch
 
 [extra]
-Include = /etc/pacman.d/mirrorlist
+Include = /etc/pacman.d/arch
 
 [community]
-Include = /etc/pacman.d/mirrorlist
+Include = /etc/pacman.d/arch
 
 [private]
 SigLevel = Never
-Server = https://repo.nwk.io/private
+Include = /etc/pacman.d/private

roles/pacman/vars/main.yaml

@@ -1,2 +1,9 @@
 ---
 # vars file for pacman
+
+pacman_keyrings:
+  - archlinux-keyring
+  - alhp-keyring
+
+pacman_hooks:
+  - pacman-cleanup-hook