* bump version
* services: rename tuvotereminder to votereminder
* nginx: redirect /tu to /package-maintainer
* nginx: remove /trusted-user/TUbylaws.html redirect

Signed-off-by: moson <moson@archlinux.org>

This includes several minor ui fixes.

Signed-off-by: Christian Heusel <christian@heusel.eu>

Now matching the config in dbscripts itself. Also sort the repos.

- fix crash when $wgFooterIcons.poweredby is no set
- account for Extension:Renameuser being bundeled with 1.40
- enable the nosniff header for /images
- switch to running maintenance scripts via run.php

Signed-off-by: Christian Heusel <christian@heusel.eu>

Adding the extension was discussed here:
https://wiki.archlinux.org/index.php?title=ArchWiki_talk:Maintenance_Team&oldid=788677#Replace_PNG_images_with_SVG



Signed-off-by: Christian Heusel <christian@heusel.eu>

This also enables the Extension:VisualEditor on user pages.

Addition was positively discussed here:
https://wiki.archlinux.org/index.php?oldid=788677#Enable_the_DiscussionTools_extension



Signed-off-by: Christian Heusel <christian@heusel.eu>

this has been positively discussed here:
https://wiki.archlinux.org/index.php?oldid=788677#Enable_the_Thanks_extension



Signed-off-by: Christian Heusel <christian@heusel.eu>

In FS#79592 we encountered yet another case where sogrep was not able to
detect the necessary rebuild because the binaries reside in the
non-standard path "/usr/share/$pkgname/bin/" which we currently do not
take into account.

This commit fixes this behaviour by also taking files symlinked from one
of the standard locations into account.

The EDNS Client Subnet header can provide a more accurate location of
the client, especially if the client is not near the recursive resolver,
so use it if it's provided.

Since Linux 6.2, Btrfs enables asynchronous trimming in its mount flags.

[1] https://github.com/archlinux/archinstall/issues/1837
[2] https://github.com/torvalds/linux/commit/63a7cb130718

SSH defaults to disallowing empty passwords but Dovecot has no similar
safeguard (at least not one enabled by default). Remove "nullok" from
/etc/pam.d/system-auth to implement the desired behavior system-wide.

ansible-lint 6.19.0 started complaining about this:

   schema[tasks]: 'become_method' must be one of the currently available
   values: ansible.builtin.runas, ansible.builtin.su,
           ansible.builtin.sudo, ansible.netcommon.enable,
           community.general.doas, community.general.dzdo,
           community.general.ksu, community.general.machinectl,
           community.general.pbrun, community.general.pfexec,
           community.general.pmrun, community.general.sesu,
           community.general.sudosu, containers.podman.podman_unshare

The archive is too chonky to fit in 10T so the storage box is now 20T.

The expression "2^40 * ceil(hetzner_storage_box_size_bytes / 2^40)" is
used to round up hetzner_storage_box_size_bytes to the next TB because
when we do "df" on the storage box, the total blocks exclude snapshots.

The gitlab bot added in [1] expired after one month, so this allowlist
the new bot, which expires after 11 months (gitlab's maximum).

[1] 5fb8df85 ("gluebuddy: Add gitlab bot for aurweb-tfstate project")

We have had bruteforce attempts to perform SQL injections on the signup
page. To get rid of the alerts, let's rate limit this properly.

This closes issues with a link to the new Gitlab issue using the
`id-mapping-$project.json` file created by the migration script.

This was a bit of trial and error (testing with the arch-boxes project.)

It used to be pulled in as a dependency of gzip, but that was recently
changed to an optional dependency [1]. It's a good tool so add it back.

[1] archlinux/packaging/packages/gzip@be440e27

It was brought to our attention by @foxboron, that arch-security is
misconfigured. It should only accept mails from members of the Arch
Security Team.

It is unclear if the list has always been misconfigured or if it
happened as part of mailman2 -> mailman3 migration.

Playbook allows us to provision an aurweb sandbox host.

Ref: aurweb/!752

Signed-off-by: moson <moson@archlinux.org>

Introduce "root_additional_keys" variable allowing us to deploy
additional root keys with our "root_ssh" role

Signed-off-by: moson <moson@archlinux.org>

Use variables to define our systemd unit files.

Signed-off-by: moson <moson@archlinux.org>

* Move modules installation:
We need some modules to be installed when doing the DB init. (alembic)
* Remove double entry for starting "aurweb-git-archive.timer"
* Link update wrapper after creating git repo
* Fix permissions cgit deploy

Signed-off-by: moson <moson@archlinux.org>

So far the for loop recognized filenames with spaces as different words:

$ for f in $(find pkg -type f); do echo "$f"; done
pkg/usr/bin/Surge
XT
Effects
pkg/usr/bin/Surge
XT

While the correct output here would have been:
pkg/usr/bin/Surge XT Effects
pkg/usr/bin/Surge XT

We fix this by just passing everything directly to readelf, which also
removes the loop overhead. This results in a significant speedup for
packages with a lot of libraries and binaries.

fixes: #524


Co-Authored-By: Evangelos Foutras <evangelos@foutras.com>

Commit 8e6d5474 ("sshd: use drop-in for basic sshd configuration")
changed the sshd_config.j2 template to contain only overridden bits of
sshd_config. However, it did not account for the install_arch role use
of the same template which was still installed to /etc/ssh/sshd_config.

Fix install_arch to install to etc/ssh/sshd_config.d/override.conf too.

Fixes: 8e6d5474 ("sshd: use drop-in for basic sshd configuration")

Aurweb wants to use terraform to create VMs in the Hetzner cloud sandbox
project and it must store the terraform state somewhere. The state can
be stored in GitLab[1], but unfortunately the access is not very
granular. So to avoid handing the CI pipeline too much access to the
aurweb project, a new project has been created, to store only the
terraform state, and an associated project access token.

[1] https://docs.gitlab.com/ee/user/infrastructure/iac/terraform_state.html

This is meant to be used in the Hetzner cloud sandbox project, so SSH
keys can be injected when a new VM is created from e.g. a CI pipeline,
so that the CI pipeline can SSH to the newly created VM.

The EC2 metadata service is used over the Hetzner metadata service, as
it is supported by more providers (including Hetzner).

Extend the role (previously used for ACME DNS verifications only) to
support dynamic DNS functionality planned for sandbox.archlinux.page.

Add timeseries visualizations for number of requests by status and type.

Convert "graph" vis. types to "timeseries" for Users and Packages.
("graph" is deprecated)

Signed-off-by: moson <moson@archlinux.org>

This saves us from having to rebase on every upstream config change.