There is a need for build servers to never build against outdated repo
databases, even with syncrepo providing a local mirror that is updated
every minute. To that effect, we adjust mirrorlist on build servers so
the tier0 mirror provided by gemini over wireguard is the first mirror.

Keep the syncrepo role on build servers in order to have a local cache
of packages and avoid concurrent build jobs downloading the same files
causing them to be corrupted.

Finally, configure gemini to use its own repos (like other mirrors do).

This is to allow our build servers to access the tier0 mirror, as well
as enable other future use cases that could benefit from tier0 access.

- remove NOOP "satisfy: any" directive
- replace a couple of tabs with spaces

Some users scrape our git endpoint with quite some requests per second
(32) this is not something cgit/smartgit can handle and has caused the
AUR to go down once (http 502).

Re-enable when all servers have been upgraded to systemd 251.

Order and exact values copied from the CF example in resolved.conf.

tf-stage1: standardize on TTL 3600 for DNS records

See merge request archlinux/infrastructure!542

The default TTL of 3600 seems a bit short for these.

Almost all of our DNS records have a TTL of 86400 (24 hours) with a few
using a TTL of 600 (some MX and TXT records). The former is too long to
be flexible when a need for fast change(s) arises, and the latter don't
benefit from the low TTL. Standardize on a TTL of 3600 (1 hour) for all
our records.

Keeps us from having to deal with .pacnew files.

Does not seem possible to communicate with hosts in the same subnet
without going through the gateway. Matches the configuration of our
other dedicated servers at Hetzner.

Indirect way to get "configure_network: true".

Fixes these display counters which were tied to aur.archlinux.org:

- Uptime
- RootFS Total
- RAM Total
- SWAP Total

Also add a decimal point to the latter two fields.

No changes made to it; this is to reduce noise in future modifications.

Avoid updating the cache in the same task w/ the upgrade as the former
causes the combined task to always return changed=True. For up-to-date
hosts, stop early instead of following through to the end and skipping
the final reboot task.

Before Ansible 5.4.0, combined cache update + package upgrade would not
always return changed=True but instead depended on whether the were any
packages to upgrade.

Gives the option to downgrade a server in the future, similar to the
default on Hetzner's Cloud Console ("CPU and RAM only").

250 is not a nice round number, whereas 200 is.

Add vault variables described in !532 (for aur-dev this time).

geoipupdate: implement role for use on geo mirrors

See merge request !541

This reverts commit c8d1a39a

Onboard kevr as project maintainer

Closes #438

See merge request !536

Fix #438

Remove our two borg hosts from the inventory

See merge request !540

Do the same for the hostkeys/known_hosts templates and disable fact
gathering.

Kind of sensitive information that doesn't need to be available to all
hosts.

These are managed services and Ansible doesn't run on them. It got
boring writing 'all,!rsync_net,!hetzner_storageboxes' in playbooks
and ad-hoc commands, so remove these borg hosts from our inventory.

Change docs/ssh-known_hosts.txt to be partially managed by Ansible, so
custom entries can be added to the top of the file. Use the new format
to write down the host keys of our two borg hosts.

grafana: Update Loki dashboard

See merge request !357