Enable error reporting for internal server errors and show stack trace
on a sandbox/dev environment.

Signed-off-by: moson <moson@archlinux.org>

Kristian Klausen authored 1 year ago and Levente Polyak committed 1 year ago

There is no reason for exposing the service to the whole internet nor
communicating without encryption. It could be fixed by restricting the
firewall rule to the public IP of the gitlb server and running it over
HTTPS or we could just use our existing WG network.

To allow gitlab to send requests to a private network address, the IP
has been allowlisted[1]. The endpoint also expects a "secret token"[2],
so it won't accept events from e.g. users creating a webhook with the
same URL.

[1] https://docs.gitlab.com/ee/security/webhooks.html#allow-outbound-requests-to-certain-ip-addresses-and-domains
[2] https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#validate-payloads-by-using-a-secret-token

There is no reason for this and we very rarely use the console anyway.

Ref #541

Trusted Users are now called Package Maintainers.
See the discussion in https://wiki.archlinux.org/title/ArchWiki_talk:Requests#Trusted_User_name_change

Once this is deployed, the users need to be migrated to the new group
by running:

    php ./maintenance/migrateUserGroup.php archtu archpackager

Related to #533

Closes: #542
Fixes: 722cc5bf ("aurweb: release 6.2.8")

The role has been renamed[1], so rename the bylaw subdomain.

tu-bylaws.aur.a.o will be kept around for some time redirecting to
package-maintainer-bylaws.aur.a.o.

[1] rfcs!7

Ref #533

* bump version
* services: rename tuvotereminder to votereminder
* nginx: redirect /tu to /package-maintainer
* nginx: remove /trusted-user/TUbylaws.html redirect

Signed-off-by: moson <moson@archlinux.org>

This includes several minor ui fixes.

Signed-off-by: Christian Heusel <christian@heusel.eu>

Now matching the config in dbscripts itself. Also sort the repos.

- fix crash when $wgFooterIcons.poweredby is no set
- account for Extension:Renameuser being bundeled with 1.40
- enable the nosniff header for /images
- switch to running maintenance scripts via run.php

Signed-off-by: Christian Heusel <christian@heusel.eu>

Adding the extension was discussed here:
https://wiki.archlinux.org/index.php?title=ArchWiki_talk:Maintenance_Team&oldid=788677#Replace_PNG_images_with_SVG



Signed-off-by: Christian Heusel <christian@heusel.eu>

This also enables the Extension:VisualEditor on user pages.

Addition was positively discussed here:
https://wiki.archlinux.org/index.php?oldid=788677#Enable_the_DiscussionTools_extension



Signed-off-by: Christian Heusel <christian@heusel.eu>

this has been positively discussed here:
https://wiki.archlinux.org/index.php?oldid=788677#Enable_the_Thanks_extension



Signed-off-by: Christian Heusel <christian@heusel.eu>

In FS#79592 we encountered yet another case where sogrep was not able to
detect the necessary rebuild because the binaries reside in the
non-standard path "/usr/share/$pkgname/bin/" which we currently do not
take into account.

This commit fixes this behaviour by also taking files symlinked from one
of the standard locations into account.

The EDNS Client Subnet header can provide a more accurate location of
the client, especially if the client is not near the recursive resolver,
so use it if it's provided.

Since Linux 6.2, Btrfs enables asynchronous trimming in its mount flags.

[1] https://github.com/archlinux/archinstall/issues/1837
[2] https://github.com/torvalds/linux/commit/63a7cb130718

SSH defaults to disallowing empty passwords but Dovecot has no similar
safeguard (at least not one enabled by default). Remove "nullok" from
/etc/pam.d/system-auth to implement the desired behavior system-wide.

ansible-lint 6.19.0 started complaining about this:

   schema[tasks]: 'become_method' must be one of the currently available
   values: ansible.builtin.runas, ansible.builtin.su,
           ansible.builtin.sudo, ansible.netcommon.enable,
           community.general.doas, community.general.dzdo,
           community.general.ksu, community.general.machinectl,
           community.general.pbrun, community.general.pfexec,
           community.general.pmrun, community.general.sesu,
           community.general.sudosu, containers.podman.podman_unshare

The archive is too chonky to fit in 10T so the storage box is now 20T.

The expression "2^40 * ceil(hetzner_storage_box_size_bytes / 2^40)" is
used to round up hetzner_storage_box_size_bytes to the next TB because
when we do "df" on the storage box, the total blocks exclude snapshots.

The gitlab bot added in [1] expired after one month, so this allowlist
the new bot, which expires after 11 months (gitlab's maximum).

[1] 5fb8df85 ("gluebuddy: Add gitlab bot for aurweb-tfstate project")

We have had bruteforce attempts to perform SQL injections on the signup
page. To get rid of the alerts, let's rate limit this properly.

This closes issues with a link to the new Gitlab issue using the
`id-mapping-$project.json` file created by the migration script.

This was a bit of trial and error (testing with the arch-boxes project.)

It used to be pulled in as a dependency of gzip, but that was recently
changed to an optional dependency [1]. It's a good tool so add it back.

[1] archlinux/packaging/packages/gzip@be440e27

It was brought to our attention by @foxboron, that arch-security is
misconfigured. It should only accept mails from members of the Arch
Security Team.

It is unclear if the list has always been misconfigured or if it
happened as part of mailman2 -> mailman3 migration.

Playbook allows us to provision an aurweb sandbox host.

Ref: aurweb/!752

Signed-off-by: moson <moson@archlinux.org>

Introduce "root_additional_keys" variable allowing us to deploy
additional root keys with our "root_ssh" role

Signed-off-by: moson <moson@archlinux.org>