Move backup-related variable defaults from the database roles into the
borg_client role. Also check group membership to guard installation of
database backup helper scripts.

Due to the "systemctl is-active foo && backup-foo || true" shorthand,
errors during database dumping were being ignored. Change the MariaDB
section to also be wrapped in a proper if statement. Finally, get rid
of "|| true" silencing statements + enable errexit in helper scripts.

archlinux/dbscripts@cde46716


includes fixes for pacman 6.1

Signed-off-by: David Runge <dvzrv@archlinux.org>

Fixes a NOT NULL violation related to Pacman 6.1 dropping MD5 checksums
from repository databases.

Fixes: 4e5550a8 ("Decommission bugs.archlinux.org and replace it with a static copy[1]")

This may be interesting for our mirror administrators and mirror owners.

I tried backfilling the data, but was unsuccessful, due to a bug[1]. We
may try again if/when the bug is fixed.

[1] https://github.com/prometheus/prometheus/issues/13747

The only variables we want to change are MAKEFLAGS and SRCDEST so
this is a cleaner approach compared to templating the whole file.

Change this to the noreply mail but also add a wiki tag to it so it can
more easily be filtered in mail programs.

Fixes #563



Signed-off-by: Christian Heusel <christian@heusel.eu>

Up until now the captcha has depended on the exact output of the pacman
version command which could lead to multiple problematic scenarios:

    a) User uses testing repos (user pacman newer)
    b) Server is not instantly updated (user pacman newer)
    c) User system is not updated (user pacman older)

Circumvent this problem by switching to a time based captcha instead.

Signed-off-by: Christian Heusel <christian@heusel.eu>

Signed-off-by: Christian Heusel <christian@heusel.eu>

The systemd environment variables can be read by anyone, so move the
secret to the configuration file, which can only be read by root and the
hedgedoc user.

Fix #562

The config file contain secrets, so it should not be world writable.

Fix #562

The firewalld direct interface is deprecated and will be removed in a
future release[1]. Recently IPv4 connectivity inside docker containers
on our runners broke and after some troubleshooting, the issue was
pinpointed to the start of the fail2ban service. We also had issues in
the past where sometimes firewalld had to be restarted after boot before
network connectivity worked in libvirt on our runners.

The issuse may be due to a bug in the way fail2ban use the direct
interface, a bug in firewalld or a combination thereof. Let's just avoid
the direct interface altogether and create a clean separation, with
firewalld handling the blocking and fail2ban maintaining the ipset.

[1] https://firewalld.org/documentation/man-pages/firewalld.direct.html

Fixes: 97bc3928 ("gitlab_runner: raise max memory to 2GB")

This is required f.e. for the dbscripts pipeline where kcov coverage
requires quite a bit more memory and fails to run in parallel with 1GB
limit.

Signed-off-by: Christian Heusel <christian@heusel.eu>

Signed-off-by: Christian Heusel <christian@heusel.eu>

When there was an error i.e. with the image verification the loopdev
variable was unbound in the cleanup function. We fix this by defining
the variable as empty.

Signed-off-by: Christian Heusel <christian@heusel.eu>

Signed-off-by: Christian Heusel <christian@heusel.eu>

Jakub Klinkovský authored 1 year ago and Christian Heusel committed 1 year ago

Related to #557

Related to #550
Related to #551

Fixes: 4e5550a8 ("Decommission bugs.archlinux.org and replace it with a static copy[1]")
Signed-off-by: Christian Heusel <christian@heusel.eu>

This feature is needed for the static copy of bugs.a.o[2], to redirect
some of the migrated tasks to the new gitlab URLs.

[1] https://docs.gitlab.com/ee/user/project/pages/redirects.html#domain-level-redirects
[2] https://gitlab.archlinux.org/archlinux/bugs-archive/-/blob/snapshots/_redirects

As announced[2][3] the bugtracker has been migrated to gitlab, so
bugs.a.o can be decommissioned and replaced with a static copy[1](to
avoid link rot).

[1] https://gitlab.archlinux.org/archlinux/bugs-archive/
[2] https://archlinux.org/news/bugtracker-migration-to-gitlab-completed/
[3] https://lists.archlinux.org/hyperkitty/list/arch-dev-public@lists.archlinux.org/thread/WYXDTJ3TR2DWRQCDZK44BQDH67IDVGTS/

Fix #550
Fix #551

Since Gitlab causes high email traffic, apply the same rule as for the
aur by adding the sasl_username for gitlab to the no limits list.

Fix #564

Doesn't make sense to split these; the notifications are unnecessary.