This seems to be a leftover from the migration of our packager roles.
All packagers should be able to upload sources to our packages
directory, hence change the permissions from the junior-dev group to the
junior-packager group.

Fixes #637

We want to roll out HTTP/3 slowly, so this adds the necessary plumbing
and makes it possible to enable it per host.

Instead of adding the conditional logic to each nginx template, the 443
listen config is moved out into a snippet which is managed by the nginx
role.

HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and
therefore reuseport[1][2] must be used to ensure that UDP packets for
the same QUIC connection is directed to the same worker. reuseport can
only be enabled once, so a default_server is added to the
"inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for
the latter). ssl_reject_handshake[3] is enabled as that allows enabling
SSL/QUIC without specifying a certificate.

[1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
[2] https://lwn.net/Articles/542629/
[3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

Ref #606

archlinux.org started rejecting connections without SNI because of
experiments with deploying HTTP/3.

See: !850

pita strudl authored 8 months ago and pita strudl committed 8 months ago

We try to ensure an atomic operation of the lastsync file. This requires creating a tmp file which needs to be ignored.
This should take care of having empty lastsync files being served.
Possible cause is that the IO is stuck thus taking several seconds to write the lastsync timestamp.
This causes mirrors to download the empty file which causes checks to fail.

This allows serving a stale response even to the request that triggers
an update. This should ensure all requests finish quickly.

With just `proxy_cache_use_stale updating`, the request that attempts to
update the cache waits for the response, while all other requests get to
use the stale response.

Currently archweb is badly overloaded and can take over half a minute to
respond. Pacman is not that patient and fails the download.

It is unclear why this was added, as we can just use the default lock
file path (/var/run/rsyncd.lock). Using a non-default path was not added
in the offending commit, but remove it in this revert commit
nevertheless, so the commit can be reverted.

This reverts commit e4e07516.

Robin Candau authored 9 months ago and Robin Candau committed 9 months ago

> 2024/06/02 11:05:53 \[warn\] 30324#30324: the "listen ... http2" directive is deprecated, use the "http2" directive instead

Fixes #589

related to #531



Co-authored-by: Kristian Klausen <kristian@klausen.dk>
Signed-off-by: Christian Heusel <christian@heusel.eu>

This is already done for the 'sudo' role, but we also have a few more
sudoers files which currently go in unverified.

Signed-off-by: Christian Heusel <christian@heusel.eu>

archlinux/dbscripts@cde46716


includes fixes for pacman 6.1

Signed-off-by: David Runge <dvzrv@archlinux.org>

Now matching the config in dbscripts itself. Also sort the repos.

In FS#79592 we encountered yet another case where sogrep was not able to
detect the necessary rebuild because the binaries reside in the
non-standard path "/usr/share/$pkgname/bin/" which we currently do not
take into account.

This commit fixes this behaviour by also taking files symlinked from one
of the standard locations into account.

So far the for loop recognized filenames with spaces as different words:

$ for f in $(find pkg -type f); do echo "$f"; done
pkg/usr/bin/Surge
XT
Effects
pkg/usr/bin/Surge
XT

While the correct output here would have been:
pkg/usr/bin/Surge XT Effects
pkg/usr/bin/Surge XT

We fix this by just passing everything directly to readelf, which also
removes the loop overhead. This results in a significant speedup for
packages with a lot of libraries and binaries.

fixes: #524


Co-Authored-By: Evangelos Foutras <evangelos@foutras.com>

Jelle van der Waa authored 1 year ago and Jelle van der Waa committed 1 year ago

Creating a full new links db from scratch exhausts /tmp

Jelle van der Waa authored 1 year ago and Jelle van der Waa committed 1 year ago

Nginx does not directly support cgi scripts so we rely on fcgiwrap. All
git repositories under /srv/repos are exported if they have a special
git-daemon-export-ok file in their .git directory.

Jelle van der Waa authored 1 year ago and Jelle van der Waa committed 1 year ago

This drops all svn specific functionality and switches to dbscripts git
version. Drops the community repository as it's merged into extra.

Jelle van der Waa authored 1 year ago and Levente Polyak committed 1 year ago

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>

Liberally add "noqa no-changed-when" tags to the problematic tasks,
except for two "systemd-tmpfiles --create" calls. For these we can
simply include the creates= parameter in the command module's call.

3690/tcp -> svn

Seems ansible-lint thinks a task calling the unqualified user module is
"not valid under any of the given schemas (schema[tasks])".

Fixes: 26f289b7 ("Capitalize the first letter of all task names")

This might be a bug in ansible-lint 6.5.0, but it appears to ignore all
our 'skip_ansible_lint' tags. Fix this by replacing them with noqa tags.

ansible-lint 6.5.0 complains about:

  name: All names should start with an
        uppercase letter. (name[casing])

These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.

As reported by ansible-lint 6.2.1:

schema: [{'PYTHONPATH': '.'}] is not of type 'object' (schema[tasks])
roles/aurweb/tasks/main.yml:1

schema: [{'SHELL': '/bin/bash'}] is not of type 'object' (schema[tasks])
roles/dbscripts/tasks/main.yml:1

- group_vars/all/vault_mariadb.yml: remove 'zabbix' database user
- misc/vaults/additional-credentials.vault: remove zabbix irc bot
- roles/dbscripts/tasks/main.yml: drop unused tier0 mirror access

The intention of "unique" in "groups['buildservers'] | sort | unique"
was to account for combining multiple groups and passing them to the
sort and unique filters. However, with only one group it looks silly.

There is a need for build servers to never build against outdated repo
databases, even with syncrepo providing a local mirror that is updated
every minute. To that effect, we adjust mirrorlist on build servers so
the first mirror is the tier0 mirror provided by gemini.

Keep the syncrepo role on build servers in order to have a local cache
of packages and avoid concurrent build jobs downloading the same files
causing them to be corrupted.

Finally, configure gemini to use its own repos (like other mirrors do).

The sponsored mirrors have a ton of storage, but mirror.pkgbuild.com
doesn't, so debug packages aren't synced to it.

[1] {america,asia,europe}.mirror.pkgbuild.com

Morten Linderud authored 4 years ago and Kristian Klausen committed 3 years ago

Signed-off-by: Morten Linderud <morten@linderud.pw>