All lists have been migrated to mailman3[1] and mailman3 is what users
should use, so show its interface by default and not the mailman2
interface.

[1] 75ac7d09 ("mailman: Fourth and final batch of mailman3 migrated lists")

Fixes: 4d8dfb6a ("mailman: Third batch of mailman3 migrated lists")

arch-general
aur-general
aur-requests

It has been decided not to migrate the following unlisted and unused
lists:
arch-magazine
arch-notifications
arch-test
mailman

Fixes: 92586d5b ("change(aurweb): rework ansible config for 6.0.0")

Required for poetry 1.2 until #1917 is fixed

https://github.com/python-poetry/poetry/issues/1917



Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

The default (40KB) isn't enough for all patches.

Fixes: 4d8dfb6a ("mailman: Third batch of mailman3 migrated lists")

Enable kernel lockdown in confidentiality mode to restrict how the root user can interact with the kernel.
See https://wiki.archlinux.org/title/Security#Kernel_lockdown_mode and https://man.archlinux.org/man/kernel_lockdown.7

This could prevent a scenario where a malicious kernel module or access to some interface that kernel lockdown prevents, would allow or assist in escaping the KVM.
It is not very likely as there needs to be an exploitable vulnerability in the hypervisor.
To make it more secure, the host too would need to enable kernel lockdown.

In the end this may only give some sense of security, but, as we all know, that's all that matters anyway.

arch-commits
arch-security
aur-dev
pacman-contrib
pacman-dev

It is cumbersome to manage the list configurations from the web ui and
easy for them to diverge, so let's instead manage them with Ansible.

Fix #254

The default of 0.5 has proven insufficient on at least 3 boxes so far.

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Otherwise it can't open our letsencrypt certs. It will setuid to
`turnserver` itself.

We get a lot of unauthorized STUN requests in the logs.

Fixes: 26f289b7 ("Capitalize the first letter of all task names")

This avoid having extra-long lines and works fine for task-based rules.

This might be a bug in ansible-lint 6.5.0, but it appears to ignore all
our 'skip_ansible_lint' tags. Fix this by replacing them with noqa tags.

ansible-lint 6.5.0 complains about:

  name: All names should start with an
        uppercase letter. (name[casing])

Useful if we wanted to create a Geo-based archive consisting of machines
in the archive_mirrors group (though this will likely not happen because
it'd break archlinux-repro due to the ~4 hour sync delay).

When the GeoIP databases get refreshed (weekly), we want PowerDNS to
reload them. Do this by running pdns_control reload in ExecStartPost.

"poetry run" is very slow[1] and adds +1 second to the startup time.
This is made even worse by the fact that aurweb-git-serve is called
twice by sshd[2].

[1] https://github.com/python-poetry/poetry/issues/3502
[2] https://security.stackexchange.com/questions/123795/authorizedkeyscommand-of-sshd-config-getting-called-twice/123801#123801

Microcode updates are not applicable to cloud servers.

http_requests_total  contains requests from debuginfo.al.org host
as well as from aur.al.org so filter them on job 'aurweb'

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Using plain "borg" resolves to /usr/local/bin/borg which is the wrapper
for our main backup host. This causes the offsite backup to be executed
with BORG_REPO set to the main backup destination.

While the above doesn't cause any issues with the backup script/service,
because borg invocations specify the backup destination as an argument,
it's not ideal and/or correct. Adjust borg_cmd to include the full path
of /usr/bin/borg, thus removing any ambiguity.