With the support for network.wireguard.* credentials[1] in systemd
v256[2], we can now easily avoid storing the credentials centrally in
our ansible vault, which is preferable as it makes the private keys less
exposed. It may also make fine-grained access easier in the future[3] as
there is no longer a vault file for each server.

All the keys have been rotated and the new private keys are only stored
on the servers.

[1] https://github.com/systemd/systemd/pull/30826
[2] https://github.com/systemd/systemd/releases/tag/v256
[3] #64

The naming of yaml files should be consistent.

They are our HTTP/3 guinea pigs for now. HTTP/3 has been enabled on
archlinux.org since 2024-07-22, so I do not expect any issues.

$http_host is changed to $host for aurweb, as HTTP/3 uses the
":authority" pseudo-header instead of the "Host" header[1][2].

[1] https://trac.nginx.org/nginx/ticket/2281
[2] https://mailman.nginx.org/pipermail/nginx-devel/2024-January/LCIUMLKCM2EBMEMTU3KXMW74AP2C4FYZ.html

Ref #606

The wiki has been hammered with requests from some stupid Chinese
bots/crawlers. Adding a simple challenge (requiring a cookie to be set),
seems to be enough to throw them off.

This was initially added for all pages, but as that could affect Chinese
search engines (concern raised on the forum[1]), it was changed to only
affect "action views", which search engines are not supposed to crawl.

[1] https://bbs.archlinux.org/viewtopic.php?pid=2185963#p2185963

group_vars/all was enabling just the sshd jail so move this into the
fail2ban role defaults. patchwork, security and wiki were redefining
fail2ban_jails without deviating from the group_vars/all default and
can therefore be dropped.

These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.

This is needed for prometheus memcached exporter to work.

(AUR doesn't seem to use memcached anymore, but changed it for
consistency.)

This is meant as a internal authenticated and encrypted network which we
can use for internal services, we don't want to expose to the internet
or when encryption is desired but not easily implementable.

Ansible complains if the fail2ban_jails dictionary is missing the
nginx_limit_req key. Adding this as default failse.

Bugfix from: e5773374

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Added a host_vars file for the new wiki.archlinux.org machine, with the required
variables, specially the memcached_socket, for the prometheus exporter.

Added a host_var file for archlinux.org as well as the playbook for archlinux.org
machine. It it's a stripped down version of apollo's playbook, only containing the roles
pertaining archweb.