F5/nginx has blogged about this[1] and it is also mentioned in nginx's
documentation[2]:
"There could be several add_header directives. These directives are
inherited from the previous configuration level if and only if there are
no add_header directives defined on the current level. "

The problem occurs when add_header is used in a child context like a
server{} or location{} block. It is solved by moving the HSTS header
into a snippet, which is now included before all add_header lines.

For now the HSTS header is the only global header, but in the future we
may need to add more global headers, like the Alt-Svc header[3] for
HTTP/3.

[1] https://www.f5.com/company/blog/nginx/avoiding-top-10-nginx-configuration-mistakes#directive-inheritance
[2] https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Alt-Svc

Fix #608

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

tempo: fix wireguard firewall port for aur.archlinux.org

See merge request !864

Gitlab recommends a default value of 1/4th of the total memory here, but
since the previous value was 1MB we go for a bit more conservative
approach here.

Fixes: #615


Signed-off-by: Christian Heusel <christian@heusel.eu>

Tomas has previously been a Junior Package Maintainer, but the two
month period is now long up and according to their sponsors their
changes in the KDE packaging ecosystem all looked good.

Fixes archlinux/infrastructure#616



Signed-off-by: Christian Heusel <christian@heusel.eu>

dovecot: Enable the body Sieve extension

See merge request !862

In order to use tests like `body :content "text/plain" :contains "Reassigned Issue"`.

archwiki: Fix typo

See merge request !861

archwiki: Do page view caching[1] with nginx for improved performance

Closes #315

See merge request !846

This should not cause any issues as MediaWiki should purge stale content
from the cache (by sending a PURGE request to the nginx-cache-purge
service).

We have used MediaWiki's file cache[2] until now, but recently the wiki
has been hammered with requests from some stupid Chinese bots/crawlers.

Caching at the web server level is faster as we avoid the PHP overhead
and it seems to make a difference (performance wise), especially when
the bots/crawlers are hitting us.

This is usual done with Varnish[3], but I went with a simple Python
service (30 LOC) for handling the PURGE requests as that is much simpler
thn adding Varnish to our stack.

[1] https://www.mediawiki.org/w/index.php?title=Manual:Performance_tuning&oldid=6670283#Page_view_caching
[2] https://www.mediawiki.org/wiki/Manual:File_cache
[3] https://www.mediawiki.org/wiki/Manual:Varnish_caching

Fix #315

This will be used for issue-bot[1][2].

[1] signstar#20 (comment 201743)
[2] https://gitlab.com/gitlab-org/distribution/issue-bot

See: https://github.com/element-hq/synapse/issues/17473

install_arch: skip UEFI partition on cloud servers

See merge request !857

The need for UEFI booting originates from dedicated server and it does
not benefit cloud servers. It therefore makes sense to skip it on them.

The module postgresql_privs deprected the "password" parameter in favour
of the "login_password" parameter, therefore replace accordingly.

https://github.com/ansible-collections/community.postgresql/blob/main/CHANGELOG.rst#id19

Fixes #603



Signed-off-by: Christian Heusel <christian@heusel.eu>

https://lists.archlinux.org/archives/list/arch-dev-public@lists.archlinux.org/thread/G57Z24ORXN3IJZEEXMMEB43M2QDJ343X/

Fixes: #605


Signed-off-by: Christian Heusel <christian@heusel.eu>

"The user profile feature is now enabled by default." [1]

[1] https://www.keycloak.org/docs/24.0.2/upgrading/#user-profile-changes

This will be our backend for a Grafana-based APM.
It is sorely required for gaining insights into why application such as aurweb are slow.

We currently only enable the OTLP receiver as it seems to be the most
modern and best supported one.

We connect directly to the prometheus at localhost for the generated
metrics.

We're also using just storing traces locally in files instead of
something like S3.

sudo 1.9.15.p5-2 enables secure_path by default.

aurweb: release v6.2.12

See merge request !856

Signed-off-by: Christian Heusel <christian@heusel.eu>

This should i.e. forbid crawlers to index all of the git diffs which
put's unneccessary load on the server and is not really of benefit to be
indexed anyways.

Link: #610


Reviewed-by: Sven-Hendrik Haase <svenstaro@gmail.com>
Reviewed-by: Levente Polyak <anthraxx@archlinux.org>
Signed-off-by: Christian Heusel <christian@heusel.eu>

archwiki: Add simple challenge for Chinese IP addresses

See merge request !851

The wiki has been hammered with requests from some stupid Chinese
bots/crawlers. Adding a simple challenge (requiring a cookie to be set),
seems to be enough to throw them off.

This was initially added for all pages, but as that could affect Chinese
search engines (concern raised on the forum[1]), it was changed to only
affect "action views", which search engines are not supposed to crawl.

[1] https://bbs.archlinux.org/viewtopic.php?pid=2185963#p2185963

This will be used for installing the geoip2 module, so we can make it
more difficult for Chinese bots to crawl the wiki.

The name of the shared object file can be overridden in case it is not
named ngx_http_{{ module.name }}_module.so, e.g. srcache where the
shared object is named ngx_http_srcache_filter_module.so.

Archweb now exports Prometheus status via /metrics with request duration
information.

Add support for "legacy" RSA 4096 certs

Closes releng#22

See merge request !852

To shut up the linter.