All servers are part of these groups which makes them redundant.

Keycloak 18.0.0 disallows this by default; enable the legacy behavior
temporarily. When this stops working, we should consider removing the
'redirect_uri' parameter entirely. Should also check if GitLab and/or
Grafafa have implemented support for alternative ways of signing out:

- https://gitlab.com/gitlab-org/gitlab/-/issues/14414
- https://github.com/grafana/grafana/issues/24643

tf-stage2: update keycloak provider to 3.8.1

See merge request !569

OpenID clients:
- 'use_refresh_tokens' set to false to preserve the values on live
- 'backchannel_logout_session_required' implicitly changed to true
  for the 'grafana_openid_client' and 'openid_gitlab' clients

SAML client (GitLab):
- 'front_channel_logout' set to false to preserve the live setting

Otherwise running terraform under tf-stage2 will often fail with:

> ansible.errors.AnsibleError: Vault password client script
> ../misc/vault-keyring-client.sh did not find a secret for
> vault-id=default: b'gpg: decryption failed: No secret key\n'

gitlab-exporter: add gitlab-exporter to monitoring

See merge request !566

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Bash histories indicate this isn't being used anywhere other than
{build,gemini}.archlinux.org and gemini's filelist is so big that
locate becomes so slow that it's practically useless on this box.

Onboard artafinde as Junior DevOps

Closes #452

See merge request !567

artafinde is our new newest Junior DevOp[1] and will get access to:
* monitoring.al.org: for setting up gitlab-exporter[1]
* gitlab.al.org: for setting up gitlab-exporter[1]
* dashboards.al.org: in case he wants to do more monitoring related
  stuff

[1] https://lists.archlinux.org/pipermail/arch-devops/2022-May/000558.html
[2] https://gitlab.archlinux.org/artafinde/gitlab-exporter/

Fix #452

Move highly sensitive secrets to new "super" vault

See merge request !565

- group_vars/all/vault_mariadb.yml: remove 'zabbix' database user
- misc/vaults/additional-credentials.vault: remove zabbix irc bot
- roles/dbscripts/tasks/main.yml: drop unused tier0 mirror access

The idea bebind this is to be able to give vault access to new DevOps
members without giving away more important credentials like Hetzner's.

These were previously removed temporarily and re-created several minutes
later during the process of deploying archusers to gemini.archlinux.org.

Add additional pubkey for dvzrv

See merge request !568

pubkeys/dvzrv.pub:
Add pubkey based on auth subkey of PGP key
`1793DAD5D803A8FFD7451697BB992F9864FAD168`.

geomirror: leverage LUA records for failover+GeoIP

See merge request !563

In an effort to stay consistent with the TTL used for the archlinux.org
and pkgbuild.com NS records, as well as slightly improve lookup latency.

PowerDNS provides a neat way to implement GeoIP-based redirection and
automatic failover. With GeoLite2-City database, it is able to select
the closest mirror from a list of IPs we provide. Every 60 seconds it
also checks if the mirror's HTTPS URL is working as expected; if that
check fails, it stops giving it out (this acts as automatic failover).

archbuild: Distribute CPU and IO resources equally among users

See merge request !564

archbuild: Turn off Git's safe.directory

See merge request !561

Without this setting, Git exits with an error when the repository is not
owned by the current user. This messes with our shared srcdest.

Packer bootstrap tweaks

See merge request !562

New hcloud adds protection fields to servers, volumes and floating IPs.

Since we are now using the local disk instead of a volume (which can be
scaled up easily) it helps to have a more consistent view of free space.

All database user passwords have been updated to use scram-sha-256, so
there's no need for backward compatibility with md5.