Also rearranged the documentation a bit.

Fixes: 27553ab3 ("Remove the WG private keys from the vault and store them only on the servers")

Add server for the nvchecker PoC[1]

See merge request !906

The server will be used for developing and running the nvchekcer PoC.
Antiz is working on the nvchecker PoC and will be provided root access.

As it is used for development purposes and we are providing root access
to a person outside the DevOps team, it is not managed by the DevOps
team, but by the nvchecker-poc group (which includes two DevOps
members), and only has the minimum of roles deployed.

It is expected that this will be put into "production" at some point and
thus must be fully managed by the DevOps team. It must be evaluated
before this point whether access to people outside DevOps team should be
provided, and if so, how and under what form of governance.

A playbook is added to ease development of the relevant roles at a later
point.

[1] https://gitlab.archlinux.org/archlinux/nvchecker-poc

Misc cleanups

See merge request !907

This was required by ansible hostname module in the past and has been
removed and added before[1][2][3][4]. The hostname module finally works
without the hostname command (likely this[5] upstream commit), so it can
be removed.

[1] 24262f6d ("common: Install inetutils for hostname")
[2] cafd2649 ("Remove inetutils in favor of ansible using systemd")
[3] 3f5000d9 ("install_arch: Add inetutils for ansible hostname module")
[4] 626c0d14 ("Enable ParallelDownloads and install hostname")
[5] https://github.com/ansible/ansible/commit/502270c804c33d3bc963930dc85e0f4ca359674d

Zsh was removed years ago from most servers as part of the tools
cleanup[1] and it was never the default shell (AFAIU), so there is no
reason for keeping this config around.

[1] 7da1e273 ("Cleanup tools")

Fixes: 6201647b ("New shared networking role.")

Add sponsored Misaka[1] VMs for our geo mirror

See merge request !929

Misaka responded[2] to our "Request for Sponsored VMs to Maintain Arch
Linux Geomirrors"[3] and offered a few sponsored VMs for our geo mirror.

[1] https://www.misaka.io/
[2] https://lists.archlinux.org/archives/list/arch-mirrors@lists.archlinux.org/message/TXHHMCR3BQ2I5NQE36N22WSIA56OMTB7/
[3] https://lists.archlinux.org/archives/list/arch-mirrors@lists.archlinux.org/message/V7JBNYFSO2HG4OSIXXR4PMGK7EFT7J2K/

gitlab: Increase maximum request size to 8k

See merge request !932

The DRM QR codes can produces requests with sizes up to 7089
characteres, therefore choosing a limit of 8k seems reasonable.

Related to archlinux/infrastructure!931

Link: https://docs.gitlab.com/administration/pages/#global-settings


Co-authored-by: Jan Alexander Steffens (heftig) <heftig@archlinux.org>
Signed-off-by: Christian Heusel <christian@heusel.eu>

archwiki: Update to 1.43.0-2

See merge request !933

Signed-off-by: Christian Heusel <christian@heusel.eu>

tf-stage1: Add GitLab Pages for panic form

See merge request archlinux/infrastructure!931

This allows users of the 'linux' package to make use of the
DRM-subsystems panic screen that can encode a zlib-encoded panic trace
in a QR code and this way allow a user to transport data via QR to their
computer.

An example URL is the following:

    https://panic.archlinux.org/panic_report/?a=x86_64&v=6.10.0&zl=232110691174483706575043650521221445645717046796552248644098439502487

This site will most likely be extended in the future under it's repo in
the archlinux namespace.

Link: https://gitlab.archlinux.org/archlinux/panic_report
Link: archlinux/packaging/packages/linux@9faea7f9


Signed-off-by: Christian Heusel <christian@heusel.eu>

archwiki: Update to 1.42.5-1

See merge request !930

Signed-off-by: Christian Heusel <christian@heusel.eu>

Signed-off-by: Christian Heusel <christian@heusel.eu>

sshd: accept environment variables ...

See merge request !840

Christian Hesse authored 8 months ago and Christian Heusel committed 1 month ago

... for user's color, language/locale and timezone settings

fluxbb: disallow more security related PHP functions

See merge request !682

Specifically, I noticed that install.php was removed in the live installation but this wasn't
documented in code. For security reasons it's a good idea to remove that file after installation.
Old PHP forum software just was like that ;)

Amin Vakil authored 2 years ago and Sven-Hendrik Haase committed 1 month ago

Disallow more php functions which can execute commands, create symlinks
or read arbitrary files.

prometheus: scrape tempo metrics

See merge request !866

Levente Polyak authored 7 months ago and Christian Heusel committed 1 month ago

Tempo exposes its service metrics with the default route on port 3200.
Let's add it to our scraping targets so we get insights into the tempo
service.

Levente Polyak authored 7 months ago and Christian Heusel committed 1 month ago

The default is to run it on 0.0.0.0.

install_arch: fix loops

See merge request !926

Leonidas Spyropoulos authored 1 month ago and Christian Heusel committed 1 month ago

Fixes: 701c1d01 ("Migrate 'with_X' to 'loop'")

sshd_config: Set ClientAliveInterval to 30 seconds

See merge request !928

Should help people not get disconnected when a build has no output for a
while (e.g. long LTO links).

Use paccache.service environment file to pass extra arguments

Closes #649

See merge request !921

Use the new `/etc/conf.d/pacman-contrib` environment file (introduced in pacman/pacman-contrib!53) to pass extra arguments to `paccache.service` instead of overriding it completely.

This improves security as it allows to benefit from all the hardening implemented in the upstream service file (which wasn't the case previously, since the whole service file was overwriten).

/!\ Requires `pacman-contrib` >= `1.11.0` /!\

Closes #649