- enable_gzip: grafana listens on localhost, nginx handles compression
- admin_user: initial admin creation is disabled in our config
- strict_transport_security: the same header is set by nginx
- strict_transport_security_max_age_seconds: unused without the above

- common: for deciding when to install/configure smartmontools
- install_arch: installing ucode update only on physical hosts

prometheus_exporters: ignore smartctl exit code 64

See merge request !645

On asia.mirror.pkgbuild.com, 'smartctl -a --json $disk' has been exiting
with code 64. From smartctl(1) code 64 corresponds to "Bit 6: The device
error log contains records of errors". Since we're not interested in old
errors, ignore it.

Tidy up the inventory a bit

See merge request !644

This has become outdated (missing new dedicated servers) and its usage
can be replicated by checking if ansible_virtualization_role == "host".

For Ansible ad hoc commands, '!hcloud' can be used to the same effect.

Repro machines are now placed in the rebuilderd_workers group.

This group is unused and contains fewer than half of our web servers.

Bots are joining earlier and waiting a day before spamming.

Fix #472

grafana: update grafana dashboard for goaurrpc

See merge request !642

Mario Oenning authored 2 years ago and Mario Oenning committed 2 years ago

* Show totals for the last 24 hours (instead of all time)
* Add total search requests pie chart

Signed-off-by: moson-mo <mo-son@mailbox.org>

Wiki says "Do not download it from a mirror" and it sounds more secure.

Fixes: 503b08db ("install_arch: verify bootstrap image signature")

Symlinking home.json to archive.json causes a duplicate, as both
dashboards have the same uid, and Grafana won't keep the dashboards
updated when there are duplicates[1]. Instead just change
default_home_dashboard_path to point to the archive.json dashboard.

[1] "dashboards provisioning provider has no database write permissions
     because of duplicates"

install_arch: verify bootstrap image signature

Closes #458

See merge request !641

Matt Nelson authored 2 years ago and Evangelos Foutras committed 2 years ago

Fixes #458.

Cleanup onboarding and offboarding template

Closes #372

See merge request !627

Fixes: 2c69e12d ("Extend onboarding information for signing keys")

We have offered a arch mail address, for support staff, for over a
year[1][2] and the only difference, is that support staff must only be
granted SSH access to mail.archlinux.org. SSH access to
homedir.archlinux.org is also allowed, but it is opt-in[3].

[1] 7287d6d3 ("archroles: Add support-staff group")
[2] 50c3e0f9 ("archusers: Support restricting users to specific hosts")
[3] e0e52552 ("Allow Alad access to homedir.archlinux.org")

Fix #372

Since [1][2].

[1] gluebuddy@8a105288
[2] !524

[1] https://lists.archlinux.org/archives/list/staff@lists.archlinux.org/thread/3LFY3OVV4MHXR2WTYDFS6EWNATGFCE3E/

Reaching out to the user is cumbersome, especially if the user is being
offboarded due to inactivity.

Fixes: bb000824 ("mailman: Second batch of mailman3 migrated lists")

aurweb: enable goaurrpc metrics

See merge request !640

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>
Co-authored-by: Kristian Klausen <kristian@klausen.dk>
Co-authored-by: moson-mo <mo-son@mailbox.org>

3690/tcp -> svn

The nginx role already enables the http and https services.

4242/tcp -> quassel
 113/tcp -> ident

51820/udp -> wireguard

WireGuard was setup to provide a internal network with confidentiality,
authenticity and integrity[1]. This migrate the remaining Prometheus
exporters to use the internal WireGuard network.

[1] 664deb67 ("WireGuard all hosts")

Fix #384

aurweb: setup goaurrpc

See merge request !639

Expose aurweb RPC using goaurrpc to reduce the load on the server.
Additionally we can now geo-serve this ro reduce load and bandwidth.

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

aurweb: setup git gc for all aurweb git repos

See merge request !638

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>