dbscripts: fix createlinks for binaries in non-standard locations

See merge request archlinux/infrastructure!758

In FS#79592 we encountered yet another case where sogrep was not able to
detect the necessary rebuild because the binaries reside in the
non-standard path "/usr/share/$pkgname/bin/" which we currently do not
take into account.

This commit fixes this behaviour by also taking files symlinked from one
of the standard locations into account.

Adding secondary workstation key for torxed

See merge request archlinux/infrastructure!761

Re #537

dbscripts: add missing gitconfig file

See merge request archlinux/infrastructure!756

Onboard fabiscafe as PM

See merge request archlinux/infrastructure!757

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

The EDNS Client Subnet header can provide a more accurate location of
the client, especially if the client is not near the recursive resolver,
so use it if it's provided.

Since Linux 6.2, Btrfs enables asynchronous trimming in its mount flags.

[1] https://github.com/archlinux/archinstall/issues/1837
[2] https://github.com/torvalds/linux/commit/63a7cb130718

hardening: reject authentication with empty passwd

See merge request !759

SSH defaults to disallowing empty passwords but Dovecot has no similar
safeguard (at least not one enabled by default). Remove "nullok" from
/etc/pam.d/system-auth to implement the desired behavior system-wide.

ansible-lint 6.19.0 started complaining about this:

   schema[tasks]: 'become_method' must be one of the currently available
   values: ansible.builtin.runas, ansible.builtin.su,
           ansible.builtin.sudo, ansible.netcommon.enable,
           community.general.doas, community.general.dzdo,
           community.general.ksu, community.general.machinectl,
           community.general.pbrun, community.general.pfexec,
           community.general.pmrun, community.general.sesu,
           community.general.sudosu, containers.podman.podman_unshare

No way we're fixing 47 of these linting errors which seem unimportant.

The archive is too chonky to fit in 10T so the storage box is now 20T.

The expression "2^40 * ceil(hetzner_storage_box_size_bytes / 2^40)" is
used to round up hetzner_storage_box_size_bytes to the next TB because
when we do "df" on the storage box, the total blocks exclude snapshots.

The gitlab bot added in [1] expired after one month, so this allowlist
the new bot, which expires after 11 months (gitlab's maximum).

[1] 5fb8df85 ("gluebuddy: Add gitlab bot for aurweb-tfstate project")

mailman: rate limit the uwsgi endpoint to 2 requests/sec

See merge request archlinux/infrastructure!760

We have had bruteforce attempts to perform SQL injections on the signup
page. To get rid of the alerts, let's rate limit this properly.

This closes issues with a link to the new Gitlab issue using the
`id-mapping-$project.json` file created by the migration script.

10.0.0.43 had already been allocated to london.mirror.pkgbuild.com
creating a conflict in Prometheus. Pick the next available address.

This was a bit of trial and error (testing with the arch-boxes project.)

It used to be pulled in as a dependency of gzip, but that was recently
changed to an optional dependency [1]. It's a good tool so add it back.

[1] archlinux/packaging/packages/gzip@be440e27

It was brought to our attention by @foxboron, that arch-security is
misconfigured. It should only accept mails from members of the Arch
Security Team.

It is unclear if the list has always been misconfigured or if it
happened as part of mailman2 -> mailman3 migration.

aurweb dev playbook & fixes for aurweb playbook

See merge request !752

Playbook allows us to provision an aurweb sandbox host.

Ref: aurweb/!752

Signed-off-by: moson <moson@archlinux.org>

Introduce "root_additional_keys" variable allowing us to deploy
additional root keys with our "root_ssh" role

Signed-off-by: moson <moson@archlinux.org>

Use variables to define our systemd unit files.

Signed-off-by: moson <moson@archlinux.org>

* Move modules installation:
We need some modules to be installed when doing the DB init. (alembic)
* Remove double entry for starting "aurweb-git-archive.timer"
* Link update wrapper after creating git repo
* Fix permissions cgit deploy

Signed-off-by: moson <moson@archlinux.org>

dbscripts: fix createlinks for filenames that contain spaces

Closes #524

See merge request archlinux/infrastructure!751

So far the for loop recognized filenames with spaces as different words:

$ for f in $(find pkg -type f); do echo "$f"; done
pkg/usr/bin/Surge
XT
Effects
pkg/usr/bin/Surge
XT

While the correct output here would have been:
pkg/usr/bin/Surge XT Effects
pkg/usr/bin/Surge XT

We fix this by just passing everything directly to readelf, which also
removes the loop overhead. This results in a significant speedup for
packages with a lot of libraries and binaries.

fixes: archlinux/infrastructure#524


Co-Authored-By: Evangelos Foutras <evangelos@foutras.com>

This allows for tasks/include/upgrade-server.yml to be reused elsewhere.

Commit 8e6d5474 ("sshd: use drop-in for basic sshd configuration")
changed the sshd_config.j2 template to contain only overridden bits of
sshd_config. However, it did not account for the install_arch role use
of the same template which was still installed to /etc/ssh/sshd_config.

Fix install_arch to install to etc/ssh/sshd_config.d/override.conf too.

Fixes: 8e6d5474 ("sshd: use drop-in for basic sshd configuration")