The intention is to use this config for other domains besides a mirror.

- add the new role to redirect.archlinux.org
- release mirror.pkgbuild.com of all DNS duties

Kevin is MIA, so add my key, so we can do releases.

Provision server for buildbot POC

See merge request !571

Foxboron wants some infra for a buildbot POC, so let's give it to him!

The server has been configured with the common and firewalld role.

Remove [node_exporters]/[wireguard] from inventory + Replace dynamic hcloud inventory with host entries

See merge request !572

We make almost no use of the dynamic properties of the hcloud inventory,
so we can simplify this by declaring all cloud servers in the main hosts
inventory.

The main benefit of this change is that temporary and experimental cloud
servers are not automatically included in the Ansible playbooks. In such
cases it is usually incorrect to deploy changes to these unknown servers.

A smaller side benefit is that Ansible will now use hostnames to connect
to cloud servers, whereas the dynamic inventory provided IPv4 addresses.
This results in more meaningful ~/.ssh/known_hosts entries.

All servers are part of these groups which makes them redundant.

Keycloak 18.0.0 disallows this by default; enable the legacy behavior
temporarily. When this stops working, we should consider removing the
'redirect_uri' parameter entirely. Should also check if GitLab and/or
Grafafa have implemented support for alternative ways of signing out:

- https://gitlab.com/gitlab-org/gitlab/-/issues/14414
- https://github.com/grafana/grafana/issues/24643

tf-stage2: update keycloak provider to 3.8.1

See merge request !569

OpenID clients:
- 'use_refresh_tokens' set to false to preserve the values on live
- 'backchannel_logout_session_required' implicitly changed to true
  for the 'grafana_openid_client' and 'openid_gitlab' clients

SAML client (GitLab):
- 'front_channel_logout' set to false to preserve the live setting

Otherwise running terraform under tf-stage2 will often fail with:

> ansible.errors.AnsibleError: Vault password client script
> ../misc/vault-keyring-client.sh did not find a secret for
> vault-id=default: b'gpg: decryption failed: No secret key\n'

gitlab-exporter: add gitlab-exporter to monitoring

See merge request !566

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Bash histories indicate this isn't being used anywhere other than
{build,gemini}.archlinux.org and gemini's filelist is so big that
locate becomes so slow that it's practically useless on this box.

Onboard artafinde as Junior DevOps

Closes #452

See merge request !567

artafinde is our new newest Junior DevOp[1] and will get access to:
* monitoring.al.org: for setting up gitlab-exporter[1]
* gitlab.al.org: for setting up gitlab-exporter[1]
* dashboards.al.org: in case he wants to do more monitoring related
  stuff

[1] https://lists.archlinux.org/pipermail/arch-devops/2022-May/000558.html
[2] https://gitlab.archlinux.org/artafinde/gitlab-exporter/

Fix #452

Move highly sensitive secrets to new "super" vault

See merge request !565

- group_vars/all/vault_mariadb.yml: remove 'zabbix' database user
- misc/vaults/additional-credentials.vault: remove zabbix irc bot
- roles/dbscripts/tasks/main.yml: drop unused tier0 mirror access

The idea bebind this is to be able to give vault access to new DevOps
members without giving away more important credentials like Hetzner's.

These were previously removed temporarily and re-created several minutes
later during the process of deploying archusers to gemini.archlinux.org.

Add additional pubkey for dvzrv

See merge request archlinux/infrastructure!568

pubkeys/dvzrv.pub:
Add pubkey based on auth subkey of PGP key
`1793DAD5D803A8FFD7451697BB992F9864FAD168`.

geomirror: leverage LUA records for failover+GeoIP

See merge request archlinux/infrastructure!563

In an effort to stay consistent with the TTL used for the archlinux.org
and pkgbuild.com NS records, as well as slightly improve lookup latency.

PowerDNS provides a neat way to implement GeoIP-based redirection and
automatic failover. With GeoLite2-City database, it is able to select
the closest mirror from a list of IPs we provide. Every 60 seconds it
also checks if the mirror's HTTPS URL is working as expected; if that
check fails, it stops giving it out (this acts as automatic failover).

archbuild: Distribute CPU and IO resources equally among users

See merge request archlinux/infrastructure!564

archbuild: Turn off Git's safe.directory

See merge request archlinux/infrastructure!561