https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/QSBPAWQGOT66VHP62ODTMLAICRTBUYP7/

Related to #625



Signed-off-by: Christian Heusel <christian@heusel.eu>

The default set is defective and only covers `twitter.com` and
`youtube.com/shorts`.

Take the [official list][1] and filter it to remove providers that
Synapse rejects.

[1]: https://oembed.com/providers.json

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Currently needs a hack in
/var/lib/synapse/matrix-appservice-irc/node_modules/matrix-appservice-bridge/lib/components/media-proxy.js
to replace the `"http"` require with `"https"` or the proxy won't work.

See: https://github.com/matrix-org/matrix-appservice-bridge/issues/507

Onboard anonfunc as Package Maintainer

Closes #595

See merge request !869

Anonfunc has been a Junior packager for longer then two months.

Fixes: https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/595

tf-stage1: Add HTTPS[1] DNS records for speeding up HTTP/3 negotiation

See merge request !867

This should have been added in the HTTP/3 commits[2][3], but it was my
understanding that it was not supported by Hetzner DNS. It apparently is
supported but not documented.

Cloudflare has a blog post[4] explaining how this speeds up HTTP/3
negotiation. Basically, the clients can connect over HTTP/3 right away,
rather than having to connect with an older protocol (probably HTTP/2 in
our case) and then upgrade to HTTP/3 (based on the Alt-Svc header).

Our domains are HSTS preloaded[1], so it would not speed up HTTPS
negotiation in most cases.

[1] https://datatracker.ietf.org/doc/html/rfc9460
[2] 8dfa7e8c ("nginx: Add plumbing for enabling HTTP/3 conditionally")
[3] 28e0f03c ("Enable HTTP/3 for {,aur.,wiki.}archlinux.org")
[4] https://blog.cloudflare.com/speeding-up-https-and-http-3-negotiation-with-dns
[5] https://hstspreload.org/

Ref #606

Update archmanweb to v1.12

Closes #622

See merge request !868

pkgbuild_org_a    -> pkgbuild_com_a
pkgbuild_org_aaaa -> pkgbuild_com_aaaa

Fixes: 0c976679 ("Deploy tempo")

Fix typos in firewalld and fail2ban roles

See merge request !828

CPX51 is a bit expensive (€54.4/mo) and based on performance monitoring
the CX52 should accomplish the same job at a much lower cost (€31.9/mo).

Switch from redis to valkey

See merge request !863

We do this since the redis package is soon to be deprecated:
https://lists.archlinux.org/archives/list/arch-dev-public@lists.archlinux.org/thread/2ERGX565GSSBUMADBG7DQJYNPJD5GUXD/



Signed-off-by: Christian Heusel <christian@heusel.eu>

The project access token expired ~3 months ago and the CI script has
just been switched to using a job token instead[1]. The project bot user
has zero activity so I decided to delete it.

[1] arch-boxes@afa85791

Fixes: 87b2eddf ("aurweb: enable goaurrpc metrics and dashboard")

We do not usually expose metrics publicly and there is no good reason
for handling aurweb differently.

Fixes: 74757d6b ("Scape aurweb metrics")

It seems to have broken with the release of filesystem 2021.12.07, which
incorporates this upstream change[1] in [2]. Please also see the
upstream issue[3].

I'm not sure why we used ansible_fqdn in the first place as
inventory_hostname should be preferred (as we define it ourselves).

[1] https://github.com/systemd/systemd/commit/ce266330fc3bd6767451ac3400336cd9acebe9c1
[2] archlinux/packaging/packages/filesystem@fc84245e
[3] https://github.com/systemd/systemd/issues/20358

Fixes: 8dfa7e8c ("nginx: Add plumbing for enabling HTTP/3 conditionally")

[1] https://github.com/prometheus/prometheus/commit/8fdfa52976ebb0c0594962fe4dac7605373fa638

We don't want these comments to be added to docs/ssh-known_hosts.txt.

From OpenSSH 9.8 release notes [1]:

 * ssh-keyscan(1): this tool previously emitted comment lines
   containing the hostname and SSH protocol banner to standard error.
   This release now emits them to standard output, but adds a new
   "-q" flag to silence them altogether.

[1] https://www.openssh.com/txt/release-9.8

It has been disabled client side since 7.0[1] (2015-08-11), server side
since 7.7[2][3] (2018-04-02), default DSA host key generation has been
disabled since 9.1[4] (2022-10-04) and with 9.8[5] (2024-07-01) DSA
support is disabled by default at compile time. In other words, DSA has
de facto been disabled (by default) for years.

From the 9.8 release notes[5]:
"OpenSSH plans to remove support for the DSA signature algorithm in
early 2025"

The DSA host keys have been removed on our servers by running[6]:
ansible all -a "rm /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub"

[1] https://www.openssh.com/txt/release-7.0
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=2662
[3] https://github.com/openssh/openssh-portable/commit/88c50a5ae20902715f0fca306bb9c38514f71679
[4] https://www.openssh.com/txt/release-9.1
[5] https://www.openssh.com/txt/release-9.8
[6] #596 (comment 203938)

Fix #596

Enable HTTP/3 for {,aur.,wiki.}archlinux.org

See merge request !850

They are our HTTP/3 guinea pigs for now. HTTP/3 has been enabled on
archlinux.org since 2024-07-22, so I do not expect any issues.

$http_host is changed to $host for aurweb, as HTTP/3 uses the
":authority" pseudo-header instead of the "Host" header[1][2].

[1] https://trac.nginx.org/nginx/ticket/2281
[2] https://mailman.nginx.org/pipermail/nginx-devel/2024-January/LCIUMLKCM2EBMEMTU3KXMW74AP2C4FYZ.html

Ref #606

We want to roll out HTTP/3 slowly, so this adds the necessary plumbing
and makes it possible to enable it per host.

Instead of adding the conditional logic to each nginx template, the 443
listen config is moved out into a snippet which is managed by the nginx
role.

HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and
therefore reuseport[1][2] must be used to ensure that UDP packets for
the same QUIC connection is directed to the same worker. reuseport can
only be enabled once, so a default_server is added to the
"inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for
the latter). ssl_reject_handshake[3] is enabled as that allows enabling
SSL/QUIC without specifying a certificate.

[1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
[2] https://lwn.net/Articles/542629/
[3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

Ref #606

docs: Make the Junior DevOs program mandatory

See merge request !853

When you become full DevOps you are basically handed the keys to the
kingdom, for this reason alone, access should not be given too easily.
Making the Junior DevOps program mandatory will ensure access is given
out in incremental steps.

The pair programming requirement has been reword to reflect the reality,
as we never really did pair programming.

Fix missing HSTS header for some URLs due to nginx "directive inheritance"[1]

Closes #608

See merge request !859

F5/nginx has blogged about this[1] and it is also mentioned in nginx's
documentation[2]:
"There could be several add_header directives. These directives are
inherited from the previous configuration level if and only if there are
no add_header directives defined on the current level. "

The problem occurs when add_header is used in a child context like a
server{} or location{} block. It is solved by moving the HSTS header
into a snippet, which is now included before all add_header lines.

For now the HSTS header is the only global header, but in the future we
may need to add more global headers, like the Alt-Svc header[3] for
HTTP/3.

[1] https://www.f5.com/company/blog/nginx/avoiding-top-10-nginx-configuration-mistakes#directive-inheritance
[2] https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Alt-Svc

Fix #608

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>