This is meant as a internal authenticated and encrypted network which we
can use for internal services, we don't want to expose to the internet
or when encryption is desired but not easily implementable.

This is initial to be used for communicating between
{lists,mailman3}.archlinux.org as mailman{2,3} can't run on the same
server.

grafana: Use builtin functionality to restrict access

See merge request archlinux/infrastructure!443

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

This reverts commit 649568e7 ("Restrict Grafana access to Arch Linux
Staff group on Keycloak (fixes #151)").

install_arch: Fix cleanup of pacman cache

See merge request archlinux/infrastructure!441

noconfirm does not work because the default answer to the first check is
`No`.

This should have been amended to the original commit.

Fixes: 5fba4d5b ("rspamd: Lower spam threshold on misaligned Reply-To/To fields")

rspamd: Lower spam threshold on misaligned Reply-To/To fields

See merge request !395

Morten Linderud authored 3 years ago and Kristian Klausen committed 3 years ago

When people send patches to pacman-dev, either with the wrong list
address or a perceived wrong email header it would most likely be
default marked as spam and stuffed into Junk for people using our email
server.

This attempts at lowering the score to something we can live with until
a gitlab migration.

Signed-off-by: Morten Linderud <morten@linderud.pw>

Goodbye luna

Closes #86

See merge request !436

https://lists.archlinux.org/pipermail/arch-dev-public/2021-July/030471.html

Fix #86

Support creating support-staff accounts on mail.al.org for mail + create user for klausenbusk and denisse

See merge request !430

Primarily to be used for mail accounts on mail.archlinux.org.

Update the firewalld configuration as of 0.9.4.
MinimalMark/AutomaticHelpers options are deprecated and ignored. New
otions added.

Use sub-accounts for backups to Hetzner Storage Box

Closes #362

See merge request !434

This offers improved separation between the server backups and should
avoid bumping against the storage box 10 concurrent connection limit.

Fixes: #362

As it turns out, the total size does not include the snapshots (feature
which we recently enabled). Record the free space so we can have a more
accurate picture of the usable space remaining.

Now that we have enabled snapshots, summing all Borg repository sizes
has become a bad approximation of the total space used on the storage
box.

Migrate lists.al.org to a VPS

Closes #356

See merge request !424

Fix #356

The DNS is still pointing to luna.

nginx, certbot, postfix and mailman are still missing and the DNS is
still pointing to luna.

We want to use rspamd for lists.al.org at some point, so we can't
hardcode the domain to archlinux.org.

Use restrict key option and relative borg command

See merge request !433

No functional change; the "restrict" key option is a shorthand for:

- no-agent-forwarding
- no-port-forwarding
- no-X11-forwarding
- no-pty
- no-user-rc

It was added in OpenSSH 7.2 (2016-02-29) as a convenient way to specify
an authorized key should have "all current and future key restrictions"
applied to it.

Also switch to a relative borg command since its location is not really
standardized; on rsync.net it appears to be located under usr/local/bin
(though /usr/bin/borg works too, even if it doesn't exist!) and Hetzner
just forces its own command, ignoring ours. 

The Borg documentation seems to agree with both the above alterations:

[1] https://borgbackup.readthedocs.io/en/stable/usage/serve.html

Create snapshot with current db and gitlab backups

See merge request !432

The helper scripts that create mysql/postgres database dumps as well as
the script running gitlab-backup were executed after the btrfs snapshot
was taken. This resulted in stale db and gitlab backups (from last run).

Move execution of these helper scripts further up so their outputs get
included in the btrfs snapshot.

Reported-by: Kristian Klausen <kristian@klausen.dk>