Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

Add number of pacnew/pacsave files and print non explicit installed
optdepends as orphans as well.

archweb: Add robots.txt

Closes #358

See merge request archlinux/infrastructure!452

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

Closes #358

It confuses the users that the browser is caching them (due to
heuristic[1]).

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Caching#heuristic_freshness_checking

The port was removed in:
4729ba40 ("postfix: Remove special "fast-path" smtpd")

Avoid running backup-gitlab twice; reuse tarballs

See merge request archlinux/infrastructure!451

The official backup tool for GitLab takes many hours to run because it
puts everything inside tarballs and then gzips each one. It seems safe
and much more efficient to skip this step for the offsite backup while
reusing the tarballs generated by the first backup to the Storage Box.

Should save ~5 hours from the borg-backup-offsite.service execution.

No functional change; the "restrict" key option is a shorthand for:

- no-agent-forwarding
- no-port-forwarding
- no-X11-forwarding
- no-pty
- no-user-rc

It was added in OpenSSH 7.2 (2016-02-29) as a convenient way to specify
an authorized key should have "all current and future key restrictions"
applied to it.

It simplifies it a bit.

The default login shell for the svntogit user (/sbin/nologin) breaks
the Match Exec directives in /srv/svntogit/.ssh/config and prohibits
Git from using the correct SSH key.

While we're at it, add --set-upstream to the git pull command so the
task is more likely to accomplish its intended purpose.

Limit Borg CPU usage on single vCPU servers to 50%

See merge request archlinux/infrastructure!447

This is meant to address the daily HostHighCpuLoad alert triggered on
lists.archlinux.org, which due to the large number of files it has to
process (around 1.5 million). Machines with more than one virtual CPU
don't need this as Borg is currently single-threaded and thus limited
to one core.

misc/get_key.py: load vault file without chdir'ing

See merge request archlinux/infrastructure!448

Now that misc/get_key.py checks if the vault file passed to it exists,
we cannot pass paths only resolvable from the root directory. Instead,
use paths that make sense relative to the current directory and avoid
calling chdir when loading the vault file.

Fixes: 77542146 ("Rewrite get_key.py to use click instead of typer")

tf-stage1: Update nameservers

Closes #207

See merge request archlinux/infrastructure!446

Closes #207

Fixes: a9ee7e5d ("Send prometheus metrics and scrap its metrics over WireGuard")

Send promtail logs and scrap its metrics over WireGuard

See merge request archlinux/infrastructure!445

keycloak: Remove obsolete configuration

See merge request archlinux/infrastructure!444

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

account2 and account_api are enabled by default since keycloak 13
(https://www.keycloak.org/docs/13.0/server_installation/#profiles)

WireGuard all hosts

See merge request archlinux/infrastructure!442

This is meant as a internal authenticated and encrypted network which we
can use for internal services, we don't want to expose to the internet
or when encryption is desired but not easily implementable.

This is initial to be used for communicating between
{lists,mailman3}.archlinux.org as mailman{2,3} can't run on the same
server.

grafana: Use builtin functionality to restrict access

See merge request archlinux/infrastructure!443

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

This reverts commit 649568e7 ("Restrict Grafana access to Arch Linux
Staff group on Keycloak (fixes #151)").

install_arch: Fix cleanup of pacman cache

See merge request archlinux/infrastructure!441

noconfirm does not work because the default answer to the first check is
`No`.

This should have been amended to the original commit.

Fixes: 5fba4d5b ("rspamd: Lower spam threshold on misaligned Reply-To/To fields")

rspamd: Lower spam threshold on misaligned Reply-To/To fields

See merge request !395

Morten Linderud authored 3 years ago and Kristian Klausen committed 3 years ago

When people send patches to pacman-dev, either with the wrong list
address or a perceived wrong email header it would most likely be
default marked as spam and stuffed into Junk for people using our email
server.

This attempts at lowering the score to something we can live with until
a gitlab migration.

Signed-off-by: Morten Linderud <morten@linderud.pw>