rsync.net has upgraded to borg 1.2 and we can now run borg compact on
both rsync.net and the Hetzner storage box.

Fixes: 17927c9a ("borg_client: run compact after pruning on borg 1.2")

Update /etc/rebuilderd-sync.conf to use the Geo host mirror instead of
europe.mirror.pkgbuild.com (for added reliability in case the latter's
availability is impacted).

The /api/v0/build/report endpoint has received POSTs up to 161M so far
this year (2022). In 2021 there had been POSTs of sizes up to 404M and
up to 814M for 2020. Multiple hundreds of MB seem a bit excessive, but
we should be able to do up to 200M.

Remove a few stray TABs and correct double-indented lines.

Upstream archlinux-repro was already using europe.mirror.pkgbuild.com as
its bootstrap and regular mirror. Furthermore, since [1] it has switched
to the Geo mirror. Remove both vars from /etc/archlinux-repro/repro.conf
and use the default mirror values (which are more than suitable).

[1] https://github.com/archlinux/archlinux-repro/commit/c024b892d07a

Fixes: 68ec7871 ("aurweb: Mirror aur.git to GitHub[1]")

aurweb: increase burst size for smartgit endpoint

See merge request !611

The burst size of 300 reportedly allows ~150 git operations. This might
not always be sufficient when installing a lot of packages from the AUR.

Specify a higher burst size to cover most legit use cases, even if this
makes us more susceptible to abuse.

Recently added to the aurweb project as Developer, access to the server
hosting the AUR should provide him more opportunity for troubleshooting.

Its disks were migrated to a new server (prompted by an unsolvable issue
with the previous box's network interface; might have been a mobo issue).

gitlab_runner: Add VM based executor (libvirt-executor)

Closes #283

See merge request !385

"Disabling revoked keys in keyring" when running "pacman-key --populate"
is very slow (easily +20 seconds), in our case the boot is now ~27
seconds faster (tested on secure-runner1). The pacman master private key
is removed to prevent malicious actors from injecting packages, a new
key is generated by pacman-init.service on boot.

[1] https://archlinux.org/news/qemu-700-changes-split-package-setup/

Changes:
- Switch to arch-boxes' base image
- Verify the base image's signature
- Use the new "latest" symlink, instead of parsing the HTML for
  finding the latest arch-boxes image[1]
- Create the base image by using arch-chroot and friends, instead of
  creating a full-blown VM
- Create the VMs from domain XML template instead of virt-clone
- Switch mirror to geo.mirror.pkgbuild.com
- Try to follow "filesystem hierarchy" standards for where to place
  configuration (id_ed25519) and "vendor data" (arch-boxes.asc and
  domain_template.xml)
- Use a ed25519 key instead of RSA key
- Only start the "update base image" server if network and DNS are up
- Misc fixes and cleanups

[1] !552

Upstream now provides a solution for setting the "staging dir" for
fastzip[1].

[1] https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/3130

The runner was accidentally made "specific", which can't be reverted[1].

[1] https://gitlab.com/gitlab-org/gitlab/-/issues/16167

For some workloads running in a container is too restrictive, ex:
arch-boxes (loop device, filesystem mount, pacstrap) and archiso
(pacstrap). Currently they both run a TCG accelerated QEMU VM, which is
very slow and painful to work with. We should provide a better option to
our users!

This adds a hardware accelerated VM for this kinds of workloads, which
is way faster and you can do whatever you like (mostly)!

Fix #283

The service hardening options have been included in geoipupdate 4.9.0-3.

[1] https://bugs.archlinux.org/task/75434

aurweb: Mirror aur.git to GitHub[1]

See merge request !609

This is meant as a extra "backup" and as another way for our users to
fetch PKGBUILDs from the AUR. It also allows the community to create
their own (perhaps better) "AUR" API/database as all essential data is
now available (this + [2]).

At the monent this is experimental and we aren't committing to keeping
it around.

[1] https://github.com/archlinux/aur
[2] http://aur.archlinux.org/packages-meta-ext-v1.json.gz

We took it out of Geo duties two months ago, but it's still offline and
it gets annoying having to exclude it from all Ansible executions we do.

archwiki: use a drop-in file for memcached@.service instead of an entirely custom unit

See merge request !587

This allows to retain all default hardening options that memcached@.service has.

tf/keycloak: add "Configure OTP" to default actions

See merge request !581

When signing into GitLab, opting to create a new keycloak account
results in being able to sign into GitLab without setting up OTP.

Since any subsequent login will require configuring OTP, it seems
well advised to prompt for it as part of the registration process.

Use C.UTF-8 as the default locale

See merge request !588

The glibc 2.35-6 package ships with the C.UTF-8 locale included which
means there is now a usable UTF-8 locale available by default.

en_US.UTF-8 will still be generated because PostgreSQL clusters are
created with that locale. Migrating the clusters to C.UTF-8 is
possible, but that requires dumping and recreating them.

archwiki: LocalSettings.php: update URLs and comments

See merge request !608

* Remove www. from archlinux.org,
* Use HTTPS for the license link,
* Update $wgGitRepositoryViewers,
* Update comments referencing paths and URLs.

Add additional pubkey for dvzrv

See merge request !605

pubkeys/dvzrv.pub:
Add additional pubkey, based on the PGP key
`991F6E3F0765CF6295888586139B09DA5BF0D338`.
For chain of trust towards the previously used signing key
`C7E7849466FE2358343588377258734B41C31549`, refer to the output of
`pacman-key --list-sigs 991F6E3F0765CF6295888586139B09DA5BF0D338`.

security-tracker: bump version to 0.13

See merge request !606

Brings support for managing Primary IPs.

There's a bit of a chicken and egg situation here but it's preferable to
manage the server's attributes the same way as all of the cloud servers.