Robin Candau authored 3 months ago and Robin Candau committed 2 months ago

See https://github.com/ansible/ansible/pull/77644

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Fixes: 87b2eddf ("aurweb: enable goaurrpc metrics and dashboard")

We do not usually expose metrics publicly and there is no good reason
for handling aurweb differently.

Fixes: 74757d6b ("Scape aurweb metrics")

They are our HTTP/3 guinea pigs for now. HTTP/3 has been enabled on
archlinux.org since 2024-07-22, so I do not expect any issues.

$http_host is changed to $host for aurweb, as HTTP/3 uses the
":authority" pseudo-header instead of the "Host" header[1][2].

[1] https://trac.nginx.org/nginx/ticket/2281
[2] https://mailman.nginx.org/pipermail/nginx-devel/2024-January/LCIUMLKCM2EBMEMTU3KXMW74AP2C4FYZ.html

Ref #606

We want to roll out HTTP/3 slowly, so this adds the necessary plumbing
and makes it possible to enable it per host.

Instead of adding the conditional logic to each nginx template, the 443
listen config is moved out into a snippet which is managed by the nginx
role.

HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and
therefore reuseport[1][2] must be used to ensure that UDP packets for
the same QUIC connection is directed to the same worker. reuseport can
only be enabled once, so a default_server is added to the
"inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for
the latter). ssl_reject_handshake[3] is enabled as that allows enabling
SSL/QUIC without specifying a certificate.

[1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
[2] https://lwn.net/Articles/542629/
[3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

Ref #606

F5/nginx has blogged about this[1] and it is also mentioned in nginx's
documentation[2]:
"There could be several add_header directives. These directives are
inherited from the previous configuration level if and only if there are
no add_header directives defined on the current level. "

The problem occurs when add_header is used in a child context like a
server{} or location{} block. It is solved by moving the HSTS header
into a snippet, which is now included before all add_header lines.

For now the HSTS header is the only global header, but in the future we
may need to add more global headers, like the Alt-Svc header[3] for
HTTP/3.

[1] https://www.f5.com/company/blog/nginx/avoiding-top-10-nginx-configuration-mistakes#directive-inheritance
[2] https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Alt-Svc

Fix #608

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Signed-off-by: Christian Heusel <christian@heusel.eu>

This should i.e. forbid crawlers to index all of the git diffs which
put's unneccessary load on the server and is not really of benefit to be
indexed anyways.

Link: #610


Reviewed-by: Sven-Hendrik Haase <svenstaro@gmail.com>
Reviewed-by: Levente Polyak <anthraxx@archlinux.org>
Signed-off-by: Christian Heusel <christian@heusel.eu>

See: #600

Robin Candau authored 9 months ago and Robin Candau committed 9 months ago

> 2024/06/02 11:05:53 \[warn\] 30324#30324: the "listen ... http2" directive is deprecated, use the "http2" directive instead

Fixes #589

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Signed-off-by: moson <moson@archlinux.org>

Enable error reporting for internal server errors and show stack trace
on a sandbox/dev environment.

Signed-off-by: moson <moson@archlinux.org>

Closes: #542
Fixes: 722cc5bf ("aurweb: release 6.2.8")

* bump version
* services: rename tuvotereminder to votereminder
* nginx: redirect /tu to /package-maintainer
* nginx: remove /trusted-user/TUbylaws.html redirect

Signed-off-by: moson <moson@archlinux.org>

Playbook allows us to provision an aurweb sandbox host.

Ref: aurweb/!752

Signed-off-by: moson <moson@archlinux.org>

Use variables to define our systemd unit files.

Signed-off-by: moson <moson@archlinux.org>

* Move modules installation:
We need some modules to be installed when doing the DB init. (alembic)
* Remove double entry for starting "aurweb-git-archive.timer"
* Link update wrapper after creating git repo
* Fix permissions cgit deploy

Signed-off-by: moson <moson@archlinux.org>

The same drop-in functionality is now provided by the openssh package
via /etc/ssh/sshd_config.d/.

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Jelle van der Waa authored 1 year ago and Leonidas Spyropoulos committed 1 year ago

Apply the same rate limitting and fail2ban rules for aur.archlinux.org

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Adjust bash wrapper scripts to activate our python virtualenv:
Script execution is triggered from ssh / git.
These wrapper scripts then call python scripts created by poetry.

We should make sure that this happens within our venv.

Previously this was done by using "poetry run...".
However, using poetry is costly and adds some delay.
Instead of using poetry, we can just activate our venv
and then execute our scripts.

Fixes: b15ac838 ("aurweb: Make SSH faster by avoiding slow Poetry (~2,5 sec faster)")

Signed-off-by: moson-mo <mo-son@mailbox.org>

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

This release removes the php code and adjusts the location of .gz
artifacts.

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Liberally add "noqa no-changed-when" tags to the problematic tasks,
except for two "systemd-tmpfiles --create" calls. For these we can
simply include the creates= parameter in the command module's call.

Leonidas Spyropoulos authored 2 years ago and Evangelos Foutras committed 2 years ago

Convert the permissions to strings to avoid octal interpretation.

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>