Sven-Hendrik Haase authored Apr 30, 2021 and Kristian Klausen committed May 13, 2021

Co-authored-by: Kristian Klausen <kristian@klausen.dk>

Set the aurweb_location configuration so aur-dev emails have the correct
links in the registration url. Add new dependencies to the aurweb role
for the aurweb-notify script to be able to run on the pu branch.

Kristian Klausen authored Apr 27, 2021 and Jelle van der Waa committed May 13, 2021

The root_ssh_keys variable was changed in:
ea9f114d ("root_ssh: Support giving root access to only some hosts")
so let's just use the root_ssh role instead of maintaining the logic in
two places.

Our API endpoint was being abused by a malicious user which send about
20 req/s, as php-fpm uses a pool of workers this easily over burdens
them and also gives the server a constant 100% CPU load.

Applying a rate limit succesfully negates this issue.

The TU-Bylaws page is now deployed as gitlab page, making all of this
unrequired, the permanent redirect can stay for a while but the wiki is
already updated.

Ex: https://wiki.archlinux.org/index.php/Special:Search?search=systemd

The arch wiki box previously had plenty of ram to play around with, but
the current box is significantly smaller. Memcached seems to cache ~ 600
MB on average so 1024 should suit us fine.

Kristian Klausen authored May 05, 2021 and Jelle van der Waa committed May 08, 2021

Fix #321

Kristian Klausen authored May 05, 2021 and Jelle van der Waa committed May 08, 2021

With the switch to Rspamd from SpamAssassin it isn't faster anymore,
because Rspamd is configured as a global milter where SA was configured
as a smtpd_proxy_filter/content_filter for smtp/submission.

Jelle van der Waa authored May 08, 2021 and Sven-Hendrik Haase committed May 08, 2021

termite is now officially dead.

In hedgedoc 1.8.0 sequelizerc is no longer required to as the
config.json file is used to read out the database settings.

Kristian Klausen authored May 02, 2021 and Jelle van der Waa committed May 03, 2021

It seems to work, so we can make the redirect permanent now.

Andrea Denisse Gómez Martínez authored Apr 27, 2021 and Jelle van der Waa committed May 03, 2021

Closes #317.

Leonidas Spyropoulos authored Apr 27, 2021 and Jelle van der Waa committed May 03, 2021

For real now, not like the 798a2d3d

 which did syncrepo
Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Kristian Klausen authored Mar 20, 2021 and Jelle van der Waa committed May 01, 2021

The wiki people has been wanting this for some time[1], so let's
implement it.

This change the url from:
https://wiki.archlinux.org/index.php/Main_page
to:
https://wiki.archlinux.org/title/Main_page

[1] https://wiki.archlinux.org/index.php?title=ArchWiki_talk:Requests&oldid=648459#index.php_in_url_address

Leonidas Spyropoulos authored Apr 08, 2021 and Jelle van der Waa committed May 01, 2021

Kernel's OOM killer is often too slow, as a result system ends up
thrashing heavily. Have a user-space oom killer helps.

Using default settings as described in
https://www.freedesktop.org/software/systemd/man/oomd.conf.html



Closes: #306
Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Fixes: 49091634 ("loki: Bump the retention period to 3 months")

Leonidas Spyropoulos authored Apr 27, 2021 and Jelle van der Waa committed Apr 27, 2021

Closes #286

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Retain permissions as how they are on the live system, setting 750 will
make nginx unable to read the flyspray directory. Fix when: condition.

Leonidas Spyropoulos authored Apr 13, 2021 and Jelle van der Waa committed Apr 27, 2021

Stop uncontrolled requests before reach php backend

Closes: #276

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

We want to be able to look at trends and past incidents.

The default is very restrictive.

Be explicit about the ports used and enable packet fingerprinting
(checksumming). Both for better compatibility.

To not run into rate-limits when resolving DNS records from rspamd, use
our own local recursive resolver.

Eg. https://whatcanidoforfedora.org/ and
https://whatcanidoformozilla.org/. Mea culpa.

Gitlab can show our alertmanager alerts only for > reporter and create
issues from alerts on gitlab.

This adds Last-Modified header support so we should have less cpu spikes
for the archweb-rebuilderd service.

Now that login is restricted to staff members.