The gitlab bot added in [1] expired after one month, so this allowlist
the new bot, which expires after 11 months (gitlab's maximum).

[1] 5fb8df85 ("gluebuddy: Add gitlab bot for aurweb-tfstate project")

mailman: rate limit the uwsgi endpoint to 2 requests/sec

See merge request !760

We have had bruteforce attempts to perform SQL injections on the signup
page. To get rid of the alerts, let's rate limit this properly.

This closes issues with a link to the new Gitlab issue using the
`id-mapping-$project.json` file created by the migration script.

10.0.0.43 had already been allocated to london.mirror.pkgbuild.com
creating a conflict in Prometheus. Pick the next available address.

This was a bit of trial and error (testing with the arch-boxes project.)

It used to be pulled in as a dependency of gzip, but that was recently
changed to an optional dependency [1]. It's a good tool so add it back.

[1] archlinux/packaging/packages/gzip@be440e27

It was brought to our attention by @foxboron, that arch-security is
misconfigured. It should only accept mails from members of the Arch
Security Team.

It is unclear if the list has always been misconfigured or if it
happened as part of mailman2 -> mailman3 migration.

aurweb dev playbook & fixes for aurweb playbook

See merge request !752

Playbook allows us to provision an aurweb sandbox host.

Ref: aurweb/!752

Signed-off-by: moson <moson@archlinux.org>

Introduce "root_additional_keys" variable allowing us to deploy
additional root keys with our "root_ssh" role

Signed-off-by: moson <moson@archlinux.org>

Use variables to define our systemd unit files.

Signed-off-by: moson <moson@archlinux.org>

* Move modules installation:
We need some modules to be installed when doing the DB init. (alembic)
* Remove double entry for starting "aurweb-git-archive.timer"
* Link update wrapper after creating git repo
* Fix permissions cgit deploy

Signed-off-by: moson <moson@archlinux.org>

dbscripts: fix createlinks for filenames that contain spaces

Closes #524

See merge request !751

So far the for loop recognized filenames with spaces as different words:

$ for f in $(find pkg -type f); do echo "$f"; done
pkg/usr/bin/Surge
XT
Effects
pkg/usr/bin/Surge
XT

While the correct output here would have been:
pkg/usr/bin/Surge XT Effects
pkg/usr/bin/Surge XT

We fix this by just passing everything directly to readelf, which also
removes the loop overhead. This results in a significant speedup for
packages with a lot of libraries and binaries.

fixes: #524


Co-Authored-By: Evangelos Foutras <evangelos@foutras.com>

This allows for tasks/include/upgrade-server.yml to be reused elsewhere.

Commit 8e6d5474 ("sshd: use drop-in for basic sshd configuration")
changed the sshd_config.j2 template to contain only overridden bits of
sshd_config. However, it did not account for the install_arch role use
of the same template which was still installed to /etc/ssh/sshd_config.

Fix install_arch to install to etc/ssh/sshd_config.d/override.conf too.

Fixes: 8e6d5474 ("sshd: use drop-in for basic sshd configuration")

Misc changes for supporting aurweb's review apps need

See merge request !748

The VMs created in the Hetzner cloud sandbox project must be accessible
with a DNS name. This creates a dedicated DNS zone for this purpose.

For now this zone will only be used by the aurweb project, so it can
create DNS records for the VMs it creates. This is needed so the dynamic
created environment can be accessed over HTTPS.

[1] https://docs.gitlab.com/ee/ci/review_apps/

Aurweb wants to use terraform to create VMs in the Hetzner cloud sandbox
project and it must store the terraform state somewhere. The state can
be stored in GitLab[1], but unfortunately the access is not very
granular. So to avoid handing the CI pipeline too much access to the
aurweb project, a new project has been created, to store only the
terraform state, and an associated project access token.

[1] https://docs.gitlab.com/ee/user/infrastructure/iac/terraform_state.html

This is meant to be used in the Hetzner cloud sandbox project, so SSH
keys can be injected when a new VM is created from e.g. a CI pipeline,
so that the CI pipeline can SSH to the newly created VM.

The EC2 metadata service is used over the Hetzner metadata service, as
it is supported by more providers (including Hetzner).

A new Hetzner cloud project has been created called "Sandbox". This
project is meant for non-production workload which must be created
on-demand from e.g. a CI pipeline. The first project using the sandbox
is aurweb, which wants to use GitLab's Review apps[1] feature to create
dynamic environments on-demand.

Two API tokens have been created, one for the infrastructure project (to
be used by packer) and for the aurweb project.

[1] https://docs.gitlab.com/ee/ci/review_apps/

As of version 1.7.0, HCL2 is the preferred way to write Packer
templates. The documentation reflect this and it is easier if we use the
preferred format.

acme_dns_challenge: turn into more generic dyn_dns

See merge request !754

Extend the role (previously used for ACME DNS verifications only) to
support dynamic DNS functionality planned for sandbox.archlinux.page.

Setup bugbuddy server for upcoming bugbuddy tool

See merge request !743

Bugbuddy is the upcoming tool for assigning package bugs to the proper
folks. The bugbuddy role will be created at a later date when the tool
is ready.

grafana: Add requests to aurweb dashboard

See merge request !753

Add timeseries visualizations for number of requests by status and type.

Convert "graph" vis. types to "timeseries" for Users and Packages.
("graph" is deprecated)

Signed-off-by: moson <moson@archlinux.org>

This saves us from having to rebase on every upstream config change.

The same drop-in functionality is now provided by the openssh package
via /etc/ssh/sshd_config.d/.

Add RedHat account and dedicated GitHub account for archlinux-docker

See merge request !704