Kevin Morris authored 3 years ago and Evangelos Foutras committed 3 years ago

[foutrelis: add vault variables described in !532]

Signed-off-by: Kevin Morris <kevr@0cost.org>
Signed-off-by: Evangelos Foutras <evangelos@foutrelis.com>

The two secrets: vault_aurweb_{secret,postmaster}

Using GitLab's official backup tool takes too much time and, more
importantly, space; /srv/gitlab is a bit over 430G but backing it
up nearly exhausts its 1TB volume.

As we're creating btrfs snapshots and backing those up with borg, it
seems unnecessary to also create tarballs of the same data. GitLab's
documentation mentions snapshots as a viable backup strategy, and to
the restored system it should seem like recovering from a power loss.

[1] https://docs.gitlab.com/ee/raketasks/backup_restore#alternative-backup-strategies

The sponsored mirrors have a ton of storage, but mirror.pkgbuild.com
doesn't, so debug packages aren't synced to it.

[1] {america,asia,europe}.mirror.pkgbuild.com

Fixes: 91f9df69 ("Add missing wireguard for gluebuddy")

Fixes: d88c0b95 ("Initialize gluebuddy host")

New username; separate and longer account manager + storage passwords.

Also, have to use --remote-path=borg1 when interacting with rsync.net.

It's not available as a shell anymore after tools were removed from it.

Hetzner DNS has been delaying many responses for 5 seconds, causing
outgoing federation work to pile up, almost running into OOM before we
noticed.

I don't know if were being throttled because federation makes a *lot* of
requests. Anyway, using Cloudflare DNS seems to solve it.

Enable DNSOverTLS for this because we can.

en is the prefix for ethernet according to systemd.net-naming-scheme(7)

Leonidas Spyropoulos authored 3 years ago and Kristian Klausen committed 3 years ago

Redundant since this commit:
bdd538ec ("Use unbound for rspamd DNS resolving")

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

CPU: Intel Xeon E5-2620 -> E-2288G
Disk: 2x~1TB -> 2x~500GB

It's been running out of swap during borg-backup and seems to get good
compression ratios; try upping the zram size to 100% of RAM (from 50%).

zswap seems like the better choice when a backing swap partition exists.

Add a default rate limit for 20 req/s for the uwsgi endpoint and
automatically ban users who reach this limit. The nginx-limit-req rule
does not ban users who reach the rss limit as these are not likely DoS
attempts.

This is meant as a internal authenticated and encrypted network which we
can use for internal services, we don't want to expose to the internet
or when encryption is desired but not easily implementable.

nginx, certbot, postfix and mailman are still missing and the DNS is
still pointing to luna.

Fix #325

Ansible complains if the fail2ban_jails dictionary is missing the
nginx_limit_req key. Adding this as default failse.

Bugfix from: e5773374

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Fix #193

To negate high cpu spikes from abusers/bots who scan our services, we
now fail2ban them.

Sven-Hendrik Haase authored 3 years ago and Kristian Klausen committed 3 years ago

Co-authored-by: Kristian Klausen <kristian@klausen.dk>

Gitlab can show our alertmanager alerts only for > reporter and create
issues from alerts on gitlab.

Kristian Klausen authored 4 years ago and Jelle van der Waa committed 3 years ago

For spam checking it is recommend to use our own recursive resolver[1]
to avoid rate limiting by using a public resolver.

unbound is already installed but the system wasn't configured to use it.

[1] https://rspamd.com/doc/faq.html#resolver-setup

Previously we configured our network conf to all interfaces, which
shouldn't be done as not all our routed to the internet and this causes
systemd-network-online target to fail.

This adds a collaborative markdown editor as newly offered service which
is available via login for all Arch Linux Staff with an option to allow
anonymous edits by users (not default). Users are managed via keycloak
and require the Staff role to be allowed in, non staff keycloak users
currently will receive an internal server error due to an upstream
issue.

Closes: #231

This host is special and only allows demize to login as user to
administer phrik and no other users/groups should be created on the
machine.