Aurweb wants to use terraform to create VMs in the Hetzner cloud sandbox
project and it must store the terraform state somewhere. The state can
be stored in GitLab[1], but unfortunately the access is not very
granular. So to avoid handing the CI pipeline too much access to the
aurweb project, a new project has been created, to store only the
terraform state, and an associated project access token.

[1] https://docs.gitlab.com/ee/user/infrastructure/iac/terraform_state.html

This is meant to be used in the Hetzner cloud sandbox project, so SSH
keys can be injected when a new VM is created from e.g. a CI pipeline,
so that the CI pipeline can SSH to the newly created VM.

The EC2 metadata service is used over the Hetzner metadata service, as
it is supported by more providers (including Hetzner).

A new Hetzner cloud project has been created called "Sandbox". This
project is meant for non-production workload which must be created
on-demand from e.g. a CI pipeline. The first project using the sandbox
is aurweb, which wants to use GitLab's Review apps[1] feature to create
dynamic environments on-demand.

Two API tokens have been created, one for the infrastructure project (to
be used by packer) and for the aurweb project.

[1] https://docs.gitlab.com/ee/ci/review_apps/

As of version 1.7.0, HCL2 is the preferred way to write Packer
templates. The documentation reflect this and it is easier if we use the
preferred format.

acme_dns_challenge: turn into more generic dyn_dns

See merge request !754

Extend the role (previously used for ACME DNS verifications only) to
support dynamic DNS functionality planned for sandbox.archlinux.page.

Setup bugbuddy server for upcoming bugbuddy tool

See merge request !743

Bugbuddy is the upcoming tool for assigning package bugs to the proper
folks. The bugbuddy role will be created at a later date when the tool
is ready.

grafana: Add requests to aurweb dashboard

See merge request !753

Add timeseries visualizations for number of requests by status and type.

Convert "graph" vis. types to "timeseries" for Users and Packages.
("graph" is deprecated)

Signed-off-by: moson <moson@archlinux.org>

This saves us from having to rebase on every upstream config change.

The same drop-in functionality is now provided by the openssh package
via /etc/ssh/sshd_config.d/.

Add RedHat account and dedicated GitHub account for archlinux-docker

See merge request !704

This is needed as archlinux-docker wants to push its container images to
GitHub Packages[1]. Unfortunately, the existing GitHub account has too
much access and it is not possible to limit the token to a single
repository[2].

[1] archlinux-docker#73
[2] https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-with-a-personal-access-token-classic

This is needed as archlinux-docker wants to push its container images to
Quay.io[1], which requires a RedHat account.

[1] archlinux/archlinux-docker#73

Requested by @torxed to be able to commit from a pipeline.

[1] https://gitlab.archlinux.org/archlinux/teams/mirror-administrator/arch-mirrors

We are not sure where this CNAME was originally used. DNS records were
transferred to Terraform sometime in 2020 so we lack history for them.

aurweb: Dashboard changes & removal of textcollectors

See merge request !744

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

With aurweb!743 we expose those gauges directly from /metrics

Signed-off-by: moson <moson@archlinux.org>

Rename "search_requests_total" to "aur_search_requests_total"

Related MR: aurweb!743

Signed-off-by: moson <moson@archlinux.org>

We have 100 max connections to Libera.

archbuild: Add systemd conf for devtools resource control

See merge request !745

Leveraging devtools 1.0.4, install systemd snippets which
  - distribute CPU and IO equally between users,
  - distribute CPU and IO equally between build containers of a user,
  - prefer distributing CPU and IO to things that are not build
    containers, and
  - copy our user oomd config for users to apply to build containers.

Gluebuddy does not keep state so there is no reason for backing up the
server.

Fixes: d88c0b95 ("Initialize gluebuddy host")

Fixes: ae53da35 ("Setup OpenSearch server for GitLab's advanced search feature[1]")
Fixes: b892c0e8 ("geomirror: new uk based mirror sponsored from jump.net.uk")

faillock has often been locking me out of my mailbox because it counts
failed authentication attempts against my user; turn this off and rely
on fail2ban to block instances of account password brute-forcing by IP.

Its php7 package can easily break from library upgrades like ICU.

hedgedoc: Enable named pads

See merge request !742

This allows the pads to be named nicely instead of having just a random string as URL.

For example the draft of the monthly report in july could be located at "https://md.archlinux.org/2023-07_monthly-report" instead of "https://md.archlinux.org/UF9Y235qTRe8XS3qxUVeJA".

https://docs.hedgedoc.org/references/url-scheme/#freeurl-mode



Signed-off-by: Christian Heusel <christian@heusel.eu>

The HTTP code must be 2xx for probe_success to indicate that the probe
succeeded, if not an alert will be sent.

Fixes: 653f8011 ("Add GitLab Pages for alpm-types[1]")

dbscripts: allow everyone access to multilib

See merge request !723