Offboard dreisner as TU/Dev

See merge request !132

Earlier, Terraform would always show a diff because Hetzner DNS API will tranform our entries
after submitting them. This commit ensures that the entries are in the same format the API expects
them to be in from the start.

Remove old task to symlink checkservices to /usr/local/bin

See merge request !133

conf.archlinux.org: Updated revision

See merge request !131

Signed-off-by: Morten Linderud <morten@linderud.pw>

add dkim key removed by previous commit

See merge request !130

Setup SPF record for HELO name

See merge request !122

The RFC[1] recommends it and it seems to be best-pratice these days.

[1] https://tools.ietf.org/html/rfc7208

Document our fail2ban setup

See merge request !94

For all hosts we want to have a working fail2ban for sshd brute force
attempts through a group_vars/all. For some hosts an override is
required to enable postfix or dovecot jails.

Remove secure-runner2

See merge request !128

As it turns out, secure-runner2 isn't fast enough to serve as CI/CD and if we keep rescaling it to be
large enough, it'll be more expensive than secure-runner1 which is a lot faster. So, it'd be most
useful to just get rid of this VPS.

The idea is to cancel secure-runner1 and use secure-runner2 as the sole secure-runner as it should be fast enough.
We originally had secure-runner1 in hardware as we thought we needed KVM but as it turns out, qemu software emulation
via tcg is actually fast enough so that's what we're using now. That also menas that we can now use a cheap cloud
runner for everything.

We decommissioned kanboard in favor of GitLab.

Jelle van der Waa authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

The WKD webservice ran on orion, but as we want to retire it, we will
move it to it's own CX11 VPS. As it's just a simple web page.

Since rebuilderd-website now does cache busting by appending the version
in it's js/css file we can apply cache headers. Also remove the invalid
Feature-Policy header entry.

archweb: change keyserver to keyserver.ubuntu.com

See merge request !107

Filipe Laíns authored 4 years ago and Jelle van der Waa committed 4 years ago

pgp.mit.edu is very slow and is often unreachable, keyserver.ubuntu.com
seems to be the only responsive server out there and is pretty complete,
let's use it instead.

Signed-off-by: Filipe Laíns <lains@archlinux.org>

Apparently our earlier permissions weren't enough.

Closes: #166

This personal access token is for automatically creating official Docker images and will be used via GitLab CI.

We want to periodically update it, not when we deploy the role :)

Add some recommended GitLab cleanup tasks (fixes #110)

Closes #110

See merge request !123

The idea is to make sure people don't blindly add cleanup tasks.

Update the ssh-known_hosts with the sorting fix applied, so the next
time it shouldn't change anymore.

Fix non-deterministic behavior of sync-ssh-hostkeys.yml

Closes #196

See merge request !124

Just in case, locales are complicated...

Fixes #196