- Sep 24, 2024
-
- Sep 22, 2024
-
-
Jan Alexander Steffens (heftig) authored
-
Jan Alexander Steffens (heftig) authored
-
Jan Alexander Steffens (heftig) authored
The default set is defective and only covers `twitter.com` and `youtube.com/shorts`. Take the [official list][1] and filter it to remove providers that Synapse rejects. [1]: https://oembed.com/providers.json
-
- Sep 16, 2024
-
-
Leonidas Spyropoulos authored
-
- Sep 15, 2024
-
-
Leonidas Spyropoulos authored
Signed-off-by:
Leonidas Spyropoulos <artafinde@archlinux.org>
-
- Sep 09, 2024
-
-
Jan Alexander Steffens (heftig) authored
Currently needs a hack in /var/lib/synapse/matrix-appservice-irc/node_modules/matrix-appservice-bridge/lib/components/media-proxy.js to replace the `"http"` require with `"https"` or the proxy won't work. See: https://github.com/matrix-org/matrix-appservice-bridge/issues/507
-
Jan Alexander Steffens (heftig) authored
-
Jan Alexander Steffens (heftig) authored
-
- Sep 08, 2024
-
-
Jelle van der Waa authored
Onboard anonfunc as Package Maintainer Closes #595 See merge request !869
-
- Sep 05, 2024
-
-
Jelle van der Waa authored
Anonfunc has been a Junior packager for longer then two months. Fixes: https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/595
-
- Sep 01, 2024
-
-
Kristian Klausen authored
tf-stage1: Add HTTPS[1] DNS records for speeding up HTTP/3 negotiation See merge request !867
-
Kristian Klausen authored
This should have been added in the HTTP/3 commits[2][3], but it was my understanding that it was not supported by Hetzner DNS. It apparently is supported but not documented. Cloudflare has a blog post[4] explaining how this speeds up HTTP/3 negotiation. Basically, the clients can connect over HTTP/3 right away, rather than having to connect with an older protocol (probably HTTP/2 in our case) and then upgrade to HTTP/3 (based on the Alt-Svc header). Our domains are HSTS preloaded[1], so it would not speed up HTTPS negotiation in most cases. [1] https://datatracker.ietf.org/doc/html/rfc9460 [2] 8dfa7e8c ("nginx: Add plumbing for enabling HTTP/3 conditionally") [3] 28e0f03c ("Enable HTTP/3 for {,aur.,wiki.}archlinux.org") [4] https://blog.cloudflare.com/speeding-up-https-and-http-3-negotiation-with-dns [5] https://hstspreload.org/ Ref #606
-
- Aug 31, 2024
-
-
Evangelos Foutras authored
-
- Aug 27, 2024
-
-
Christian Heusel authored
Update archmanweb to v1.12 Closes #622 See merge request !868
-
Jakub Klinkovský authored
-
- Aug 26, 2024
-
-
Evangelos Foutras authored
pkgbuild_org_a -> pkgbuild_com_a pkgbuild_org_aaaa -> pkgbuild_com_aaaa
-
- Aug 25, 2024
-
-
Kristian Klausen authored
Fixes: 0c976679 ("Deploy tempo")
-
- Aug 19, 2024
-
-
Kristian Klausen authored
Fix typos in firewalld and fail2ban roles See merge request !828
-
Jakub Klinkovský authored
-
Jakub Klinkovský authored
-
Evangelos Foutras authored
CPX51 is a bit expensive (€54.4/mo) and based on performance monitoring the CX52 should accomplish the same job at a much lower cost (€31.9/mo).
-
Christian Heusel authored
Switch from redis to valkey See merge request !863
-
Christian Heusel authored
We do this since the redis package is soon to be deprecated: https://lists.archlinux.org/archives/list/arch-dev-public@lists.archlinux.org/thread/2ERGX565GSSBUMADBG7DQJYNPJD5GUXD/ Signed-off-by:
Christian Heusel <christian@heusel.eu>
-
- Aug 18, 2024
-
-
Kristian Klausen authored
The project access token expired ~3 months ago and the CI script has just been switched to using a job token instead[1]. The project bot user has zero activity so I decided to delete it. [1] arch-boxes@afa85791
-
Kristian Klausen authored
Fixes: 87b2eddf ("aurweb: enable goaurrpc metrics and dashboard")
-
Kristian Klausen authored
We do not usually expose metrics publicly and there is no good reason for handling aurweb differently. Fixes: 74757d6b ("Scape aurweb metrics")
-
Kristian Klausen authored
It seems to have broken with the release of filesystem 2021.12.07, which incorporates this upstream change[1] in [2]. Please also see the upstream issue[3]. I'm not sure why we used ansible_fqdn in the first place as inventory_hostname should be preferred (as we define it ourselves). [1] https://github.com/systemd/systemd/commit/ce266330fc3bd6767451ac3400336cd9acebe9c1 [2] archlinux/packaging/packages/filesystem@fc84245e [3] https://github.com/systemd/systemd/issues/20358
-
Kristian Klausen authored
Fixes: 8dfa7e8c ("nginx: Add plumbing for enabling HTTP/3 conditionally")
-
Evangelos Foutras authored
We don't want these comments to be added to docs/ssh-known_hosts.txt. From OpenSSH 9.8 release notes [1]: * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. [1] https://www.openssh.com/txt/release-9.8
-
Kristian Klausen authored
It has been disabled client side since 7.0[1] (2015-08-11), server side since 7.7[2][3] (2018-04-02), default DSA host key generation has been disabled since 9.1[4] (2022-10-04) and with 9.8[5] (2024-07-01) DSA support is disabled by default at compile time. In other words, DSA has de facto been disabled (by default) for years. From the 9.8 release notes[5]: "OpenSSH plans to remove support for the DSA signature algorithm in early 2025" The DSA host keys have been removed on our servers by running[6]: ansible all -a "rm /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub" [1] https://www.openssh.com/txt/release-7.0 [2] https://bugzilla.mindrot.org/show_bug.cgi?id=2662 [3] https://github.com/openssh/openssh-portable/commit/88c50a5ae20902715f0fca306bb9c38514f71679 [4] https://www.openssh.com/txt/release-9.1 [5] https://www.openssh.com/txt/release-9.8 [6] #596 (comment 203938) Fix #596
-
Kristian Klausen authored
Enable HTTP/3 for {,aur.,wiki.}archlinux.org See merge request !850
-
- Aug 17, 2024
-
-
Kristian Klausen authored
They are our HTTP/3 guinea pigs for now. HTTP/3 has been enabled on archlinux.org since 2024-07-22, so I do not expect any issues. $http_host is changed to $host for aurweb, as HTTP/3 uses the ":authority" pseudo-header instead of the "Host" header[1][2]. [1] https://trac.nginx.org/nginx/ticket/2281 [2] https://mailman.nginx.org/pipermail/nginx-devel/2024-January/LCIUMLKCM2EBMEMTU3KXMW74AP2C4FYZ.html Ref #606
-
Kristian Klausen authored
We want to roll out HTTP/3 slowly, so this adds the necessary plumbing and makes it possible to enable it per host. Instead of adding the conditional logic to each nginx template, the 443 listen config is moved out into a snippet which is managed by the nginx role. HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and therefore reuseport[1][2] must be used to ensure that UDP packets for the same QUIC connection is directed to the same worker. reuseport can only be enabled once, so a default_server is added to the "inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for the latter). ssl_reject_handshake[3] is enabled as that allows enabling SSL/QUIC without specifying a certificate. [1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen [2] https://lwn.net/Articles/542629/ [3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake Ref #606
-
Kristian Klausen authored
docs: Make the Junior DevOs program mandatory See merge request !853
-
Kristian Klausen authored
When you become full DevOps you are basically handed the keys to the kingdom, for this reason alone, access should not be given too easily. Making the Junior DevOps program mandatory will ensure access is given out in incremental steps. The pair programming requirement has been reword to reflect the reality, as we never really did pair programming.
-
Kristian Klausen authored
Fix missing HSTS header for some URLs due to nginx "directive inheritance"[1] Closes #608 See merge request !859
-
Kristian Klausen authored
F5/nginx has blogged about this[1] and it is also mentioned in nginx's documentation[2]: "There could be several add_header directives. These directives are inherited from the previous configuration level if and only if there are no add_header directives defined on the current level. " The problem occurs when add_header is used in a child context like a server{} or location{} block. It is solved by moving the HSTS header into a snippet, which is now included before all add_header lines. For now the HSTS header is the only global header, but in the future we may need to add more global headers, like the Alt-Svc header[3] for HTTP/3. [1] https://www.f5.com/company/blog/nginx/avoiding-top-10-nginx-configuration-mistakes#directive-inheritance [2] https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header [3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Alt-Svc Fix #608
-
Leonidas Spyropoulos authored
Signed-off-by:
Leonidas Spyropoulos <artafinde@archlinux.org>
-