With the support for network.wireguard.* credentials[1] in systemd
v256[2], we can now easily avoid storing the credentials centrally in
our ansible vault, which is preferable as it makes the private keys less
exposed. It may also make fine-grained access easier in the future[3] as
there is no longer a vault file for each server.

All the keys have been rotated and the new private keys are only stored
on the servers.

[1] https://github.com/systemd/systemd/pull/30826
[2] https://github.com/systemd/systemd/releases/tag/v256
[3] archlinux/infrastructure#64

The naming of yaml files should be consistent.

They are our HTTP/3 guinea pigs for now. HTTP/3 has been enabled on
archlinux.org since 2024-07-22, so I do not expect any issues.

$http_host is changed to $host for aurweb, as HTTP/3 uses the
":authority" pseudo-header instead of the "Host" header[1][2].

[1] https://trac.nginx.org/nginx/ticket/2281
[2] https://mailman.nginx.org/pipermail/nginx-devel/2024-January/LCIUMLKCM2EBMEMTU3KXMW74AP2C4FYZ.html

Ref #606

The same drop-in functionality is now provided by the openssh package
via /etc/ssh/sshd_config.d/.

Jelle van der Waa authored 1 year ago and Leonidas Spyropoulos committed 1 year ago

Apply the same rate limitting and fail2ban rules for aur.archlinux.org

Move the 'sshd_enable_includes' override to aur's host vars instead of
specifying it as part of playbooks/aur.archlinux.org. Otherwise, would
break the AUR's SSH auth if ssh.d/aurweb_config does not get included.

These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.

This is needed for prometheus memcached exporter to work.

(AUR doesn't seem to use memcached anymore, but changed it for
consistency.)

This is meant as a internal authenticated and encrypted network which we
can use for internal services, we don't want to expose to the internet
or when encryption is desired but not easily implementable.

Fix #325

Zabbix has been replaced by Prometheus for monitoring our services.

For all hosts we want to have a working fail2ban for sshd brute force
attempts through a group_vars/all. For some hosts an override is
required to enable postfix or dovecot jails.

Extend the memcached service for the AUR to allow the memcached group to
read the socket to obtain statistics.

This reverts commit 81bb41e3.

We actually do need to specify all fields.

Remove jail config from host_vars that just sets the default of false
(disabled).

Added a host_vars entry for aur-dev.archlinux.org.