- Aug 17, 2024
-
-
Kristian Klausen authored
They are our HTTP/3 guinea pigs for now. HTTP/3 has been enabled on archlinux.org since 2024-07-22, so I do not expect any issues. $http_host is changed to $host for aurweb, as HTTP/3 uses the ":authority" pseudo-header instead of the "Host" header[1][2]. [1] https://trac.nginx.org/nginx/ticket/2281 [2] https://mailman.nginx.org/pipermail/nginx-devel/2024-January/LCIUMLKCM2EBMEMTU3KXMW74AP2C4FYZ.html Ref #606
-
Kristian Klausen authored
We want to roll out HTTP/3 slowly, so this adds the necessary plumbing and makes it possible to enable it per host. Instead of adding the conditional logic to each nginx template, the 443 listen config is moved out into a snippet which is managed by the nginx role. HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and therefore reuseport[1][2] must be used to ensure that UDP packets for the same QUIC connection is directed to the same worker. reuseport can only be enabled once, so a default_server is added to the "inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for the latter). ssl_reject_handshake[3] is enabled as that allows enabling SSL/QUIC without specifying a certificate. [1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen [2] https://lwn.net/Articles/542629/ [3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake Ref #606
-
Kristian Klausen authored
docs: Make the Junior DevOs program mandatory See merge request !853
-
Kristian Klausen authored
When you become full DevOps you are basically handed the keys to the kingdom, for this reason alone, access should not be given too easily. Making the Junior DevOps program mandatory will ensure access is given out in incremental steps. The pair programming requirement has been reword to reflect the reality, as we never really did pair programming.
-
Kristian Klausen authored
Fix missing HSTS header for some URLs due to nginx "directive inheritance"[1] Closes #608 See merge request !859
-
Kristian Klausen authored
F5/nginx has blogged about this[1] and it is also mentioned in nginx's documentation[2]: "There could be several add_header directives. These directives are inherited from the previous configuration level if and only if there are no add_header directives defined on the current level. " The problem occurs when add_header is used in a child context like a server{} or location{} block. It is solved by moving the HSTS header into a snippet, which is now included before all add_header lines. For now the HSTS header is the only global header, but in the future we may need to add more global headers, like the Alt-Svc header[3] for HTTP/3. [1] https://www.f5.com/company/blog/nginx/avoiding-top-10-nginx-configuration-mistakes#directive-inheritance [2] https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header [3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Alt-Svc Fix #608
-
Leonidas Spyropoulos authored
Signed-off-by:
Leonidas Spyropoulos <artafinde@archlinux.org>
-
Leonidas Spyropoulos authored
-
- Aug 16, 2024
-
-
Levente Polyak authored
tempo: fix wireguard firewall port for aur.archlinux.org See merge request !864
-
Levente Polyak authored
-
Levente Polyak authored
-
Jelle van der Waa authored
-
Christian Heusel authored
Gitlab recommends a default value of 1/4th of the total memory here, but since the previous value was 1MB we go for a bit more conservative approach here. Fixes: #615 Signed-off-by:
Christian Heusel <christian@heusel.eu>
-
- Aug 15, 2024
-
-
Christian Heusel authored
Tomas has previously been a Junior Package Maintainer, but the two month period is now long up and according to their sponsors their changes in the KDE packaging ecosystem all looked good. Fixes #616 Signed-off-by:
Christian Heusel <christian@heusel.eu>
-
- Aug 14, 2024
-
-
Kristian Klausen authored
dovecot: Enable the body Sieve extension See merge request !862
-
Daniel M. Capella authored
In order to use tests like `body :content "text/plain" :contains "Reassigned Issue"`.
-
Christian Heusel authored
archwiki: Fix typo See merge request !861
-
- Aug 13, 2024
-
-
Daniel M. Capella authored
-
- Aug 11, 2024
-
-
Kristian Klausen authored
archwiki: Do page view caching[1] with nginx for improved performance Closes #315 See merge request !846
-
Kristian Klausen authored
This should not cause any issues as MediaWiki should purge stale content from the cache (by sending a PURGE request to the nginx-cache-purge service).
-
Kristian Klausen authored
We have used MediaWiki's file cache[2] until now, but recently the wiki has been hammered with requests from some stupid Chinese bots/crawlers. Caching at the web server level is faster as we avoid the PHP overhead and it seems to make a difference (performance wise), especially when the bots/crawlers are hitting us. This is usual done with Varnish[3], but I went with a simple Python service (30 LOC) for handling the PURGE requests as that is much simpler thn adding Varnish to our stack. [1] https://www.mediawiki.org/w/index.php?title=Manual:Performance_tuning&oldid=6670283#Page_view_caching [2] https://www.mediawiki.org/wiki/Manual:File_cache [3] https://www.mediawiki.org/wiki/Manual:Varnish_caching Fix #315
-
Kristian Klausen authored
This will be used for issue-bot[1][2]. [1] signstar#20 (comment 201743) [2] https://gitlab.com/gitlab-org/distribution/issue-bot
-
- Aug 09, 2024
-
-
Leonidas Spyropoulos authored
-
- Aug 07, 2024
-
-
Evangelos Foutras authored
install_arch: skip UEFI partition on cloud servers See merge request !857
-
- Aug 06, 2024
-
-
Evangelos Foutras authored
The need for UEFI booting originates from dedicated server and it does not benefit cloud servers. It therefore makes sense to skip it on them.
-
Christian Heusel authored
The module postgresql_privs deprected the "password" parameter in favour of the "login_password" parameter, therefore replace accordingly. https://github.com/ansible-collections/community.postgresql/blob/main/CHANGELOG.rst#id19 Fixes #603 Signed-off-by:
Christian Heusel <christian@heusel.eu>
-
- Aug 05, 2024
-
-
Jan Alexander Steffens (heftig) authored
-
Jan Alexander Steffens (heftig) authored
-
- Aug 04, 2024
-
-
Evangelos Foutras authored
"The user profile feature is now enabled by default." [1] [1] https://www.keycloak.org/docs/24.0.2/upgrading/#user-profile-changes
- Aug 03, 2024
-
-
Sven-Hendrik Haase authored
-
Sven-Hendrik Haase authored
This will be our backend for a Grafana-based APM. It is sorely required for gaining insights into why application such as aurweb are slow. We currently only enable the OTLP receiver as it seems to be the most modern and best supported one. We connect directly to the prometheus at localhost for the generated metrics. We're also using just storing traces locally in files instead of something like S3.
-
Evangelos Foutras authored
sudo 1.9.15.p5-2 enables secure_path by default.
-
Leonidas Spyropoulos authored
aurweb: release v6.2.12 See merge request !856
-
Christian Heusel authored
Signed-off-by:
Christian Heusel <christian@heusel.eu>
-
- Aug 02, 2024
-
-
Christian Heusel authored
-
Christian Heusel authored
This should i.e. forbid crawlers to index all of the git diffs which put's unneccessary load on the server and is not really of benefit to be indexed anyways. Link: #610 Reviewed-by:
Sven-Hendrik Haase <svenstaro@gmail.com> Reviewed-by:
Levente Polyak <anthraxx@archlinux.org> Signed-off-by:
Christian Heusel <christian@heusel.eu>
-
- Jul 31, 2024
-
-
Kristian Klausen authored
archwiki: Add simple challenge for Chinese IP addresses See merge request !851
-
Kristian Klausen authored
The wiki has been hammered with requests from some stupid Chinese bots/crawlers. Adding a simple challenge (requiring a cookie to be set), seems to be enough to throw them off. This was initially added for all pages, but as that could affect Chinese search engines (concern raised on the forum[1]), it was changed to only affect "action views", which search engines are not supposed to crawl. [1] https://bbs.archlinux.org/viewtopic.php?pid=2185963#p2185963
-