This means that there is no need to make runner-specific changes to the
image, so in theory the image could be build centrally (e.g. in the
arch-boxes project[1]) and then distributed to the runner hosts.

This change also make the SSH keys ephemeral.

[1] https://gitlab.archlinux.org/archlinux/arch-boxes

All libvirt volume management is now handled through virsh instead of
direct file system access. As a volume cannot be uploaded in an atomic
way, the current active volume is now tracked in a file on disk.

This may allow us to run the script with less privileges and use polkit
for libvirt access control[1].

[1] https://libvirt.org/aclpolkit.html

The prepare stage runs "echo "Running on $(hostname)...""[1], resulting
in "bash: line 7: hostname: command not found" and it outputting
"Running on ..." as the hostname command is provided by inetutils, which
is not installed.

Fix it by "monkey patching" it to use "hostnamectl hostname" and inject
the hostname with SMBIOS[2][3]. Injecting creds with SMBIOS may also be
useful in the future, e.g. for injecting an ephemeral SSH public key.

[1] https://gitlab.com/gitlab-org/gitlab-runner/-/blob/v17.5.2/shells/bash.go?ref_type=tags#L452-L456
[2] https://systemd.io/CREDENTIALS/
[3] https://github.com/systemd/systemd/pull/30814

This removes 13 instances of [1] and 1 instance of the IP address from
the job log.

The latter was fixed by no longer waiting for SSH in the "run" stage,
which is unnecessary as we wait for SSH in the "prepare" stage.

[1] Warning: Permanently added '192.168.122.xxx' (ED25519) to the list of known hosts.

It was forgotten once[1] to update it in both places, so avoid that
issue in the future, by moving it to a variable.

[1] c370c9d0 ("gitlab_runner: Update concurreny math to reflect the new VM size")

The project now has a centralized landing page hosted in the root
directory which we can observe instead of the docs for one specific
crate.

Related to signstar#124
Related to signstar!131



Signed-off-by: Christian Heusel <christian@heusel.eu>

The project now has a centralized landing page hosted in the root
directory which we can observe instead of the docs for one specific
crate.

Related to archlinux/alpm/alpm#76
Related to archlinux/alpm/alpm!57



Signed-off-by: Christian Heusel <christian@heusel.eu>

We are hitting a lot of permission problems lately for sources that are
co maintained. The culprint were wrong facl permissions that have not
been adjusted since we renamed TU to Packager.
Reflect this change by fixing the groups in the archbuild tasks to use
junior-dev and junior-packager.

Requested by dvzrv[1] and implemented in this MR[2].

[1]: archlinux/signstar#91
[2]: archlinux/signstar!125



Signed-off-by: Christian Heusel <christian@heusel.eu>

This seems to be a leftover from the migration of our packager roles.
All packagers should be able to upload sources to our packages
directory, hence change the permissions from the junior-dev group to the
junior-packager group.

Fixes #637

Keeping up with the sequoia interface changes is no fun and has caused
us work previously, therefore replace it with rsop which has a
standardized interface.

Co-Authored-by: David Runge <dvzrv@archlinux.org>
Signed-off-by: Christian Heusel <christian@heusel.eu>

As per my announcement to arch-devops[1] and staff, this adds a Mumble
server for Arch Linux.

The password for the special root user SuperAdmin is automatically
generated on first launch and printed to the logs. I went ahead and
added it to the vault. It should not usually be required to login as
SuperAdmin though as long as there are user admins around.

This uses certbot for local certificates.

[1] https://lists.archlinux.org/archives/list/arch-devops@lists.archlinux.org/thread/AHAOSTGFJTLQDSXLWFORDKGR6RDVHYEI/

Also regenerate the list of Prometheus Blackbox targets, adding:

- https://london.mirror.pkgbuild.com
- https://package-maintainer-bylaws.aur.archlinux.org

This differs from the way we install packages in all the other roles, so
revert the commit to ensure consistency.

This reverts commit ab1d8e84.

Fixes: 7ea1eb29 ("gitlab_runner: Refactor libvirt-executor")

It failed to reboot during the last upgrade procedure. Upon logging into
the Equinix Metal console, we discovered that we lack access to all 4 of
the servers sponsored by Equinix Metal. They are under the CNCF account,
and it's not possible to transfer them to our organization.

Equinix Metal is being sunset, and the remaining 3 servers will also go
away on June 30th 2026. We can keep them until then, or until they fail
to boot like seoul.mirror.pkgbuild.com.

alpm-buildinfo and alpm-types have been consolidated into the alpm
project[1], for which GitLab Pages was recently configured[2][3].

Requested by @dvzrv.

[1] https://gitlab.archlinux.org/archlinux/alpm/alpm
[2] archlinux/alpm/alpm#32
[3] 3d54b56c ("Add GitLab Pages for alpm")

We are not on top of expiring bot tokens and we usually only notice when
someone else points it out.

It is also a bit cumbersome to add new bot tokens, so avoid the issue
altogether, by just extending the lifetime of the bot tokens
continuously.

Fix #617

The behavior is mentioned in the documentation[1], but gitlab has not
always done it this way (e.g. some of the older project bots still
exist, even though the project tokens expired several months ago).

[1] https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html#bot-users-for-projects

This will be used for deleting old packages (i.e. the fortnightly
packages which are older than 90 days). I thought using a job token
would work (as described in [1]), but that turned out not to be the case
as explained in [2].

[1] 242213b2 ("gluebuddy: Remove deleted project bot for arch-boxes")
[2] arch-boxes@48ccb457

As it turns out the value for this filters "rounds" parameter strongly
differs depending on the installed python crypto backend, since
python-crypt uses 5000 rounds while python-passlib uses 656000 rounds
set a default parameter according to ansible documentation.

As really high values for "rounds" lead to some login timeouts it makes
sense for us to use a fixed value for this parameter. In this case 5000
have been chosen as this value reflects the defaults from python-crypt
aswell as /etc/login.defs in the shadow package.

Link: https://github.com/ansible/ansible/pull/77963/files
Related-to: #250


Signed-off-by: Christian Heusel <christian@heusel.eu>

This will be used for issue-bot[1][2] similar as it is done in the
signstar project[3].

[1] https://gitlab.com/gitlab-org/distribution/issue-bot
[2] arch-boxes@f0c7c7e7
[3] signstar@4e1cfa1e

Requested by Orhun[1].

[1] archlinux/alpm/alpm!9

This ensures that the fully templated file is syntactically is a valid php file.

Signed-off-by: Christian Heusel <christian@heusel.eu>

Despite multiple people reviewing the change this was not spotted 



Signed-off-by: Christian Heusel <christian@heusel.eu>

nl6720 authored 5 months ago and Christian Heusel committed 5 months ago

https://wiki.archlinux.org/title/Template:Text_art needs a consistent font.

Discussed in https://wiki.archlinux.org/title/Template_talk:Text_art#Use_of_non-ASCII_characters