We want to migrate to mailman3 as mailman2 is basically unmaintained and
requires Python 2 which is EOL.

Because the mailman and mailman3 packages conflict and we don't want to
perform a big bang migration, mailman3 must be deployed on a separate
server. mailman-web (mailman3's web interface) hasn't been packaged yet,
so for now we are using my homebrewed PKGBUILD[1].

[1] https://gist.github.com/klausenbusk/5982063f95c503754a51ed2fefb8915e

Ref #59

Fixes: afb582b1 ("geomirror: extract acme dns challenge into new role")

debuginfod: let nginx compress octet-stream responses

See merge request !573

Using the fastest gzip compression level to avoid burning too much CPU.

Implement generalized support for geo domains

See merge request !574

The intention is to use this config for other domains besides a mirror.

- add the new role to redirect.archlinux.org
- release mirror.pkgbuild.com of all DNS duties

Kevin is MIA, so add my key, so we can do releases.

Provision server for buildbot POC

See merge request !571

Foxboron wants some infra for a buildbot POC, so let's give it to him!

The server has been configured with the common and firewalld role.

Remove [node_exporters]/[wireguard] from inventory + Replace dynamic hcloud inventory with host entries

See merge request !572

We make almost no use of the dynamic properties of the hcloud inventory,
so we can simplify this by declaring all cloud servers in the main hosts
inventory.

The main benefit of this change is that temporary and experimental cloud
servers are not automatically included in the Ansible playbooks. In such
cases it is usually incorrect to deploy changes to these unknown servers.

A smaller side benefit is that Ansible will now use hostnames to connect
to cloud servers, whereas the dynamic inventory provided IPv4 addresses.
This results in more meaningful ~/.ssh/known_hosts entries.

All servers are part of these groups which makes them redundant.

Keycloak 18.0.0 disallows this by default; enable the legacy behavior
temporarily. When this stops working, we should consider removing the
'redirect_uri' parameter entirely. Should also check if GitLab and/or
Grafafa have implemented support for alternative ways of signing out:

- https://gitlab.com/gitlab-org/gitlab/-/issues/14414
- https://github.com/grafana/grafana/issues/24643

tf-stage2: update keycloak provider to 3.8.1

See merge request !569

OpenID clients:
- 'use_refresh_tokens' set to false to preserve the values on live
- 'backchannel_logout_session_required' implicitly changed to true
  for the 'grafana_openid_client' and 'openid_gitlab' clients

SAML client (GitLab):
- 'front_channel_logout' set to false to preserve the live setting

Otherwise running terraform under tf-stage2 will often fail with:

> ansible.errors.AnsibleError: Vault password client script
> ../misc/vault-keyring-client.sh did not find a secret for
> vault-id=default: b'gpg: decryption failed: No secret key\n'

gitlab-exporter: add gitlab-exporter to monitoring

See merge request !566

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Bash histories indicate this isn't being used anywhere other than
{build,gemini}.archlinux.org and gemini's filelist is so big that
locate becomes so slow that it's practically useless on this box.

Onboard artafinde as Junior DevOps

Closes #452

See merge request !567

artafinde is our new newest Junior DevOp[1] and will get access to:
* monitoring.al.org: for setting up gitlab-exporter[1]
* gitlab.al.org: for setting up gitlab-exporter[1]
* dashboards.al.org: in case he wants to do more monitoring related
  stuff

[1] https://lists.archlinux.org/pipermail/arch-devops/2022-May/000558.html
[2] https://gitlab.archlinux.org/artafinde/gitlab-exporter/

Fix #452

Move highly sensitive secrets to new "super" vault

See merge request !565

- group_vars/all/vault_mariadb.yml: remove 'zabbix' database user
- misc/vaults/additional-credentials.vault: remove zabbix irc bot
- roles/dbscripts/tasks/main.yml: drop unused tier0 mirror access

The idea bebind this is to be able to give vault access to new DevOps
members without giving away more important credentials like Hetzner's.

These were previously removed temporarily and re-created several minutes
later during the process of deploying archusers to gemini.archlinux.org.

Add additional pubkey for dvzrv

See merge request !568

pubkeys/dvzrv.pub:
Add pubkey based on auth subkey of PGP key
`1793DAD5D803A8FFD7451697BB992F9864FAD168`.

geomirror: leverage LUA records for failover+GeoIP

See merge request !563