I don't expect more GitHub Pages to be set up, so using a explict
resource instead of abstracting it, is fine I think.

[1] https://github.com/archlinux/archinstall/issues/2098

Some of the mails generated by gitlab are way bigger than 200KB, e.g.
this[1] Thunderbird package bump resulting in a 850KB mail. So bump t0
1000KB for now and see if it is enough.

[1] archlinux/packaging/packages/thunderbird@3da91c6e

The last hunk which I applied manually incorrectly retained its pluses.

Fixes: 825a0c92 ("grafana: rebase grafana.ini to grafana 10.2.0-1")

Also add script to make rebasing easier.

Enable error reporting for internal server errors and show stack trace
on a sandbox/dev environment.

Signed-off-by: moson <moson@archlinux.org>

Kristian Klausen authored 1 year ago and Levente Polyak committed 1 year ago

There is no reason for exposing the service to the whole internet nor
communicating without encryption. It could be fixed by restricting the
firewall rule to the public IP of the gitlb server and running it over
HTTPS or we could just use our existing WG network.

To allow gitlab to send requests to a private network address, the IP
has been allowlisted[1]. The endpoint also expects a "secret token"[2],
so it won't accept events from e.g. users creating a webhook with the
same URL.

[1] https://docs.gitlab.com/ee/security/webhooks.html#allow-outbound-requests-to-certain-ip-addresses-and-domains
[2] https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#validate-payloads-by-using-a-secret-token

There is no reason for this and we very rarely use the console anyway.

Ref #541

Trusted Users are now called Package Maintainers.
See the discussion in https://wiki.archlinux.org/title/ArchWiki_talk:Requests#Trusted_User_name_change

Once this is deployed, the users need to be migrated to the new group
by running:

    php ./maintenance/migrateUserGroup.php archtu archpackager

Related to archlinux/infrastructure#533

Closes: #542
Fixes: 722cc5bf ("aurweb: release 6.2.8")

The role has been renamed[1], so rename the bylaw subdomain.

tu-bylaws.aur.a.o will be kept around for some time redirecting to
package-maintainer-bylaws.aur.a.o.

[1] rfcs!7

Ref #533

* bump version
* services: rename tuvotereminder to votereminder
* nginx: redirect /tu to /package-maintainer
* nginx: remove /trusted-user/TUbylaws.html redirect

Signed-off-by: moson <moson@archlinux.org>

This includes several minor ui fixes.

Signed-off-by: Christian Heusel <christian@heusel.eu>

Now matching the config in dbscripts itself. Also sort the repos.

- fix crash when $wgFooterIcons.poweredby is no set
- account for Extension:Renameuser being bundeled with 1.40
- enable the nosniff header for /images
- switch to running maintenance scripts via run.php

Signed-off-by: Christian Heusel <christian@heusel.eu>

Adding the extension was discussed here:
https://wiki.archlinux.org/index.php?title=ArchWiki_talk:Maintenance_Team&oldid=788677#Replace_PNG_images_with_SVG



Signed-off-by: Christian Heusel <christian@heusel.eu>

This also enables the Extension:VisualEditor on user pages.

Addition was positively discussed here:
https://wiki.archlinux.org/index.php?oldid=788677#Enable_the_DiscussionTools_extension



Signed-off-by: Christian Heusel <christian@heusel.eu>

this has been positively discussed here:
https://wiki.archlinux.org/index.php?oldid=788677#Enable_the_Thanks_extension



Signed-off-by: Christian Heusel <christian@heusel.eu>

In FS#79592 we encountered yet another case where sogrep was not able to
detect the necessary rebuild because the binaries reside in the
non-standard path "/usr/share/$pkgname/bin/" which we currently do not
take into account.

This commit fixes this behaviour by also taking files symlinked from one
of the standard locations into account.

The EDNS Client Subnet header can provide a more accurate location of
the client, especially if the client is not near the recursive resolver,
so use it if it's provided.

Since Linux 6.2, Btrfs enables asynchronous trimming in its mount flags.

[1] https://github.com/archlinux/archinstall/issues/1837
[2] https://github.com/torvalds/linux/commit/63a7cb130718

SSH defaults to disallowing empty passwords but Dovecot has no similar
safeguard (at least not one enabled by default). Remove "nullok" from
/etc/pam.d/system-auth to implement the desired behavior system-wide.

ansible-lint 6.19.0 started complaining about this:

   schema[tasks]: 'become_method' must be one of the currently available
   values: ansible.builtin.runas, ansible.builtin.su,
           ansible.builtin.sudo, ansible.netcommon.enable,
           community.general.doas, community.general.dzdo,
           community.general.ksu, community.general.machinectl,
           community.general.pbrun, community.general.pfexec,
           community.general.pmrun, community.general.sesu,
           community.general.sudosu, containers.podman.podman_unshare

The archive is too chonky to fit in 10T so the storage box is now 20T.

The expression "2^40 * ceil(hetzner_storage_box_size_bytes / 2^40)" is
used to round up hetzner_storage_box_size_bytes to the next TB because
when we do "df" on the storage box, the total blocks exclude snapshots.

The gitlab bot added in [1] expired after one month, so this allowlist
the new bot, which expires after 11 months (gitlab's maximum).

[1] 5fb8df85 ("gluebuddy: Add gitlab bot for aurweb-tfstate project")

We have had bruteforce attempts to perform SQL injections on the signup
page. To get rid of the alerts, let's rate limit this properly.