We are hitting a lot of permission problems lately for sources that are
co maintained. The culprint were wrong facl permissions that have not
been adjusted since we renamed TU to Packager.
Reflect this change by fixing the groups in the archbuild tasks to use
junior-dev and junior-packager.

Requested by dvzrv[1] and implemented in this MR[2].

[1]: signstar#91
[2]: signstar!125



Signed-off-by: Christian Heusel <christian@heusel.eu>

This seems to be a leftover from the migration of our packager roles.
All packagers should be able to upload sources to our packages
directory, hence change the permissions from the junior-dev group to the
junior-packager group.

Fixes #637

Keeping up with the sequoia interface changes is no fun and has caused
us work previously, therefore replace it with rsop which has a
standardized interface.

Co-Authored-by: David Runge <dvzrv@archlinux.org>
Signed-off-by: Christian Heusel <christian@heusel.eu>

As per my announcement to arch-devops[1] and staff, this adds a Mumble
server for Arch Linux.

The password for the special root user SuperAdmin is automatically
generated on first launch and printed to the logs. I went ahead and
added it to the vault. It should not usually be required to login as
SuperAdmin though as long as there are user admins around.

This uses certbot for local certificates.

[1] https://lists.archlinux.org/archives/list/arch-devops@lists.archlinux.org/thread/AHAOSTGFJTLQDSXLWFORDKGR6RDVHYEI/

Also regenerate the list of Prometheus Blackbox targets, adding:

- https://london.mirror.pkgbuild.com
- https://package-maintainer-bylaws.aur.archlinux.org

This differs from the way we install packages in all the other roles, so
revert the commit to ensure consistency.

This reverts commit ab1d8e84.

Fixes: 7ea1eb29 ("gitlab_runner: Refactor libvirt-executor")

It failed to reboot during the last upgrade procedure. Upon logging into
the Equinix Metal console, we discovered that we lack access to all 4 of
the servers sponsored by Equinix Metal. They are under the CNCF account,
and it's not possible to transfer them to our organization.

Equinix Metal is being sunset, and the remaining 3 servers will also go
away on June 30th 2026. We can keep them until then, or until they fail
to boot like seoul.mirror.pkgbuild.com.

alpm-buildinfo and alpm-types have been consolidated into the alpm
project[1], for which GitLab Pages was recently configured[2][3].

Requested by @dvzrv.

[1] https://gitlab.archlinux.org/archlinux/alpm/alpm
[2] archlinux/alpm/alpm#32
[3] 3d54b56c ("Add GitLab Pages for alpm")

We are not on top of expiring bot tokens and we usually only notice when
someone else points it out.

It is also a bit cumbersome to add new bot tokens, so avoid the issue
altogether, by just extending the lifetime of the bot tokens
continuously.

Fix #617

The behavior is mentioned in the documentation[1], but gitlab has not
always done it this way (e.g. some of the older project bots still
exist, even though the project tokens expired several months ago).

[1] https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html#bot-users-for-projects

This will be used for deleting old packages (i.e. the fortnightly
packages which are older than 90 days). I thought using a job token
would work (as described in [1]), but that turned out not to be the case
as explained in [2].

[1] 242213b2 ("gluebuddy: Remove deleted project bot for arch-boxes")
[2] arch-boxes@48ccb457

As it turns out the value for this filters "rounds" parameter strongly
differs depending on the installed python crypto backend, since
python-crypt uses 5000 rounds while python-passlib uses 656000 rounds
set a default parameter according to ansible documentation.

As really high values for "rounds" lead to some login timeouts it makes
sense for us to use a fixed value for this parameter. In this case 5000
have been chosen as this value reflects the defaults from python-crypt
aswell as /etc/login.defs in the shadow package.

Link: https://github.com/ansible/ansible/pull/77963/files
Related-to: #250


Signed-off-by: Christian Heusel <christian@heusel.eu>

This will be used for issue-bot[1][2] similar as it is done in the
signstar project[3].

[1] https://gitlab.com/gitlab-org/distribution/issue-bot
[2] arch-boxes@f0c7c7e7
[3] signstar@4e1cfa1e

Requested by Orhun[1].

[1] archlinux/alpm/alpm!9

This ensures that the fully templated file is syntactically is a valid php file.

Signed-off-by: Christian Heusel <christian@heusel.eu>

Despite multiple people reviewing the change this was not spotted 



Signed-off-by: Christian Heusel <christian@heusel.eu>

nl6720 authored 5 months ago and Christian Heusel committed 5 months ago

https://wiki.archlinux.org/title/Template:Text_art needs a consistent font.

Discussed in https://wiki.archlinux.org/title/Template_talk:Text_art#Use_of_non-ASCII_characters

Signed-off-by: Christian Heusel <christian@heusel.eu>

Check the HTTPS DNS records of the following Geo domains:

- geo.mirror.pkgbuild.com
- riscv.mirror.pkgbuild.com

Ensure they return: "1 . alpn=h2,h3 ipv4hint=... ipv6hint=..."

Ref #606

pacman/curl does not utilize HTTP/3, but it makes sense to enable
regardless to ensure consistency.

We self-host the authoritative nameservers for the geo domains, so the
configuration has been tweaked to add the HTTPS DNS record for each geo
domain.

Ref #606

Signed-off-by: Christian Heusel <christian@heusel.eu>

This will be used for issue-bot[1] similar as it is done in the
signstar project[2].

[1] archlinux/signstar#20 (comment 201743)
[2] https://gitlab.com/gitlab-org/distribution/issue-bot

This will be used to create issues for the monthly reports[1][2].

[1]: archlinux/project-management!1
[2]: archlinux/project-management#31



Signed-off-by: Christian Heusel <christian@heusel.eu>