group_vars/all was enabling just the sshd jail so move this into the
fail2ban role defaults. patchwork, security and wiki were redefining
fail2ban_jails without deviating from the group_vars/all default and
can therefore be dropped.

Ansible complains if the fail2ban_jails dictionary is missing the
nginx_limit_req key. Adding this as default failse.

Bugfix from: e5773374

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Zabbix has been replaced by Prometheus for monitoring our services.

For all hosts we want to have a working fail2ban for sshd brute force
attempts through a group_vars/all. For some hosts an override is
required to enable postfix or dovecot jails.

Extend the memcached service for the AUR to allow the memcached group to
read the socket to obtain statistics.

Add a new role called prometheus_exporters which should be run on every
machine we have and starts different collectors depending on what group
the machine is in. Currently supported our the gitlab runner exporter,
rebuilder textcollector, mysqld-exporter, borg textcollector and an
node/arch exporter. The arch exporter monitors the security status and
pacman out of date packages gauge.

Add a variable that takes the SSH_CLIENT environment variable to save the
ip address of the machine actually running the playbooks. This can be used
on maintenance mode to allow in the person running the playbook and let
everybody else to see the maintenance page.

This is because otherwise we'll fail to install on any system not explicitly running Python 3.7 (like some Debian we provision Arch on).
We don't strictly need Python 3.7 and most Python 3 versions will in fact work with Ansible.

It's highly unlikely we'll be using anything other than cubic, so there
is no need for this to be configurable.

BBR behaves badly when it is not the sole connection. It slows down
other streams (bbr and cubic) and generally doesn't scale well when
deployed widely. Let's disable it so we don't make the internet for
others worse.

https://ripe76.ripe.net/presentations/10-2018-05-15-bbr.pdf

https://kanboard.archlinux.org/public/task/117/7dd7510424e4229247e8e0b90bf43e1553fce86cdf8475b60edc956ed5a8



Signed-off-by: Florian Pritz <bluewind@xinu.at>

This is mostly so that the roles runs OK and that we have every host in
there. This change only affects 2 unused pia machines. All other hosts
already set a template list.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

This only changes the dns server of two unused PIA boxes. All other
machines were already configured like this.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

We don't need resolved and it is sometimes buggy so let's just get rid
of it and use unbound like we do on our mail machines already.

Details: https://kanboard.archlinux.org/public/task/104/7dd7510424e4229247e8e0b90bf43e1553fce86cdf8475b60edc956ed5a8



Signed-off-by: Florian Pritz <bluewind@xinu.at>