Fixes: cf9c92fd ("dovecot: Disable POP3")

Implicit TLS is the future[1].

[1] https://datatracker.ietf.org/doc/html/rfc8314

No one uses it and less to worry about.

Fix #205

Restrict the mail users to passwd and decouple the mailboxes from the system user

See merge request !450

The homedir is now /home/vmail/%d/%n instead of /home/$USER.

Preparation for switching to a virtual user setup and removing all the
staff users from mail.a.o.

The users are only meant as a way to change the mail password and
setting up forwarding (~/.forward), the latter will be handled by the
DevOps team now.

Fixes: 678845af ("Add Kape server IPv6 addresses (fixes #230)")

Add redirects for git.archlinux.org using a map

See merge request !439

Increase zram-fraction to 1.0 for lists.archlinux.org

See merge request !460

It's been running out of swap during borg-backup and seems to get good
compression ratios; try upping the zram size to 100% of RAM (from 50%).

Add fail2ban exporter

See merge request !457

The fail2ban exporter exports the amount of bans per jail.

hcloud_inventory: Optimize --list to avoid --host calls

See merge request !459

By adding a top-level element called "_meta" to the --list response,
Ansible will not call the inventory script with --host for each host
thus saving a lot of time and many requests to the Hetzner Cloud API.

The speed-up is significant; `ansible-inventory --list` is down from
about 1 minute to just 7 seconds in my testing (with ~60ms latency).

As per the following deprecation warning (even though it has a typo):

[DEPRECATION WARNING]: [defaults]callback_whitelist option, normalizing
names to new standard, use callback_enabled instead. This feature will
be removed from ansible-core in version 2.15.  Deprecation warnings can
be disabled by setting deprecation_warnings=False in ansible.cfg.

[1] https://github.com/ansible/ansible/pull/74845

zswap seems like the better choice when a backing swap partition exists.

Remove zram size limit and disable zswap when using zram

See merge request !458

When both zswap and zram are active, zswap sits in front of zram and
treats it as a backing store. We just want to use zram and not zswap
disguising itself as such; disable the latter so we can enjoy useful
zramctl statistics.

Implemented as tmpfiles.d/zram.conf which disables zswap at runtime.

Restarting swap.target doesn't apply configuration changes; instead we
can restart systemd-zram-setup@zram0 which seems to do what we wanted.

Set "max-zram-size = none" to disable this unwanted limitation which
defaulted to creating zram-based swap with a maximum size of 4096MiB.

Fixes: dc8fa2bd ("common: Replace deprecated systemd-swap[1] with zram-generator")

Redirect fail2ban log to SYSLOG

Closes #322

See merge request !456

The upstream branch is set by the earlier "git pull --set-upstream".

Ref #374

Onboard alerque as new TU

See merge request !449

Ref #373

Add a default rate limit for 20 req/s for the uwsgi endpoint and
automatically ban users who reach this limit. The nginx-limit-req rule
does not ban users who reach the rss limit as these are not likely DoS
attempts.

Mark "Free Space (Hetzner)" metric as instant for faster updates.

Extend onboarding by more explicit information

See merge request !418

.gitlab/issue_templates/Onboarding.md:
Create the ticket as confidential by default (using a short action).
Make the required information in the Details section more explicit and
add entries that are relevant when creating an SSO and/or archweb
account.
Add a note for sponsors of new users, so that they also add a
clearsigned version of the data they provide.
Add a dot at the end of each sentence.
Make the entries for mailing list operations more generic and rely on
the *communication e-mail address*, which may be the user's personal
mail address or a newly created @archlinux.org mail address.
Add warning message about creating a confidential ticket when providing
personal data.
Add checkbox to remind about the removal of personal information,
removal of description history and setting the ticket to be
non-confidential (if it has been confidential due to personal data).
Add checkbox that reminds setting the Team member username to the
@-prefixed username on gitlab (after the user has logged in).

prometheus_exporters: Improve arch-textcollector

See merge request !453

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

Add number of pacnew/pacsave files and print non explicit installed
optdepends as orphans as well.

archweb: Add robots.txt

Closes #358

See merge request !452

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

Closes #358