The service was enabled in arch-boxes to account for "hardware clock is
not in UTC, but instead UTC+X"[1], in our case the (VM) hardware clock
is in UTC and we therfor don't need the slow systemd-time-wait-sync
service (+30 seconds).

[1] arch-boxes@e23d3c57

Fixes: 2e799bd1 ("arch_boxes_sync: Create predictable symlinks for latest image files")

arch-boxes has decided to use GitLab's package registry instead of job
artifacts[1].

[1] archlinux/arch-boxes@d04c8274

Fixes: 2e799bd1 ("arch_boxes_sync: Create predictable symlinks for latest image files")

The mailing list is used for non-public communication with users, so everyone needs be able to post to it.
It is also the assigned email address of the ArchWiki user "WikiSysop".
See https://wiki.archlinux.org/title/ArchWiki:Maintenance_Team#Who,_when_and_how_to_contact

From time to time aurweb is failing with "Too many open files"
errors[1], this could indicate a bug in aurweb or perhaps the limit is
just too low. Let's try doubling the limit and see if it helps.

[1] https://gitlab.archlinux.org/archlinux/aurweb-errors/-/issues/275

The code isn't vulnerable to nginx alias traversal[1][2], nevertheless
it should only match /static/ and not e.g. /staticfoobar.

[1] d94f18a7 ("Fix nginx alias traversal")
[2] https://github.com/yandex/gixy/blob/641060d6355fbb5bd71695928a2bf14a9bcb8bf2/docs/en/plugins/aliastraversal.md

Fixes: 9294828f ("Setup mailman3 server")

Whoosh is used by default, but it is slow at indexing (multiple hours
for just aur-requests) and searching e.g. aur-requests isn't possible
(it is slow and uses 3G+ of memory resulting in it getting OOM-killed).

Xapian indexed everything in just 76 minutes and searching aur-requests
now works and is plenty fast.

Co-authored-by: Evangelos Foutras <evangelos@foutrelis.com>

This avoids triggering a GitLab push rule which rejects files that look
like secrets.

Going to be served by all our Geo boxes under riscv.mirror.pkgbuild.com.

Fixes: 578b7819 ("Capitalize the handler name in handler invocations")
Fixes: 26f289b7 ("Capitalize the first letter of all task names")

All lists have been migrated to mailman3[1] and mailman3 is what users
should use, so show its interface by default and not the mailman2
interface.

[1] 75ac7d09 ("mailman: Fourth and final batch of mailman3 migrated lists")

Fixes: 4d8dfb6a ("mailman: Third batch of mailman3 migrated lists")

arch-general
aur-general
aur-requests

It has been decided not to migrate the following unlisted and unused
lists:
arch-magazine
arch-notifications
arch-test
mailman

Fixes: 92586d5b ("change(aurweb): rework ansible config for 6.0.0")

Required for poetry 1.2 until #1917 is fixed

https://github.com/python-poetry/poetry/issues/1917



Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

The default (40KB) isn't enough for all patches.

Fixes: 4d8dfb6a ("mailman: Third batch of mailman3 migrated lists")

Enable kernel lockdown in confidentiality mode to restrict how the root user can interact with the kernel.
See https://wiki.archlinux.org/title/Security#Kernel_lockdown_mode and https://man.archlinux.org/man/kernel_lockdown.7

This could prevent a scenario where a malicious kernel module or access to some interface that kernel lockdown prevents, would allow or assist in escaping the KVM.
It is not very likely as there needs to be an exploitable vulnerability in the hypervisor.
To make it more secure, the host too would need to enable kernel lockdown.

In the end this may only give some sense of security, but, as we all know, that's all that matters anyway.

arch-commits
arch-security
aur-dev
pacman-contrib
pacman-dev

It is cumbersome to manage the list configurations from the web ui and
easy for them to diverge, so let's instead manage them with Ansible.

Fix #254

The default of 0.5 has proven insufficient on at least 3 boxes so far.

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Otherwise it can't open our letsencrypt certs. It will setuid to
`turnserver` itself.

We get a lot of unauthorized STUN requests in the logs.

Fixes: 26f289b7 ("Capitalize the first letter of all task names")

This avoid having extra-long lines and works fine for task-based rules.

This might be a bug in ansible-lint 6.5.0, but it appears to ignore all
our 'skip_ansible_lint' tags. Fix this by replacing them with noqa tags.