A new Hetzner cloud project has been created called "Sandbox". This
project is meant for non-production workload which must be created
on-demand from e.g. a CI pipeline. The first project using the sandbox
is aurweb, which wants to use GitLab's Review apps[1] feature to create
dynamic environments on-demand.

Two API tokens have been created, one for the infrastructure project (to
be used by packer) and for the aurweb project.

[1] https://docs.gitlab.com/ee/ci/review_apps/

This is needed as archlinux-docker wants to push its container images to
GitHub Packages[1]. Unfortunately, the existing GitHub account has too
much access and it is not possible to limit the token to a single
repository[2].

[1] archlinux/archlinux-docker#73
[2] https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-with-a-personal-access-token-classic

This is needed as archlinux-docker wants to push its container images to
Quay.io[1], which requires a RedHat account.

[1] archlinux/archlinux-docker#73

Follow-up to merge request !671.

URL: https://fosstodon.org/@archlinux

We have been using sponsored Equinix Metal boxes for years (sponsorship
managed by CNCF[1]). This adds a service account[2], so we don't need to
rely on individual access.

[1] https://github.com/cncf/cluster
[2] https://github.com/cncf/cluster/issues/213

Similarly to geo.mirror.pkgbuild.com, this is monitored elsewhere.

I think this was renamed when Keycloak switched to Quarkus.

From [1]: "By default, the new Quarkus distribution removes /auth from
           the context-path."

[1] https://www.keycloak.org/migration/migrating-to-quarkus

The key is used for signing the releases, so the users can be sure the
images on the mirrors haven't been modified. arch-boxes has been tweaked
to use the key in this MR[1].

[1] arch-boxes!176

Renovate is a tool for: "Automated dependency updates. Multi-platform
and multi-language."[1].

We require all commits pushed directly to official projects to be
signed, so a master key and signing key have been generated for
Renovate. Both keys are stored in renovate.asc and Renovate only has
access to the signing key.

[1] https://github.com/renovatebot/renovate

Fixes: 511b6ca4 ("misc/vault-keyring-client.sh: add flock workaround")

We want non-DevOps to be able to deploy project documentation (ex:
repod) with GitLab Pages and a separate domain was considered the only
sensible solution due to security issues[1].

[1] https://github.blog/2013-04-09-yummy-cookies-across-domains/

- IPMI credentials for luna.archlinux.org
- Entry with no credentials for PIA boxes

We want to deploy project documentation (ex: repod) with GitLab Pages
and due to security concerns[1], they should be deployed on a separate
domain.

Hetzner's Registration Robot[2] only supports a few TLDs and all the
good names have already been taken, and therefore we need a new domain
registrar. SPI has a partnership with Gandi, so Gandi it is.

[1] https://www.hetzner.com/registrationrobot
[2] https://github.blog/2013-04-09-yummy-cookies-across-domains/

roles/prometheus/defaults/main.yml used to include a comment with the
commands used to generate a list of HTTPS endpoints to check. Move it
into a proper script and fix it to generate the correct current list.

Extend the removal of the dashes from unencrypted YAML documents to
encrypted ones as well.

Fixes: a9e0790f ("Remove the three dashes from all YAML documents")

Vagrant Cloud has been used for years by arch-boxes[1] for publishing
Vagrant boxes. Access to the organization[2] was handed out to a few
members of the DevOps team and the creator of the organization
(arch-boxes maintainer at the time).

With this commit the control of the organization is handed over to the
DevOps team through a new Vagrant Cloud account.

[1] https://gitlab.archlinux.org/archlinux/arch-boxes
[2] https://app.vagrantup.com/archlinux/

Otherwise running terraform under tf-stage2 will often fail with:

> ansible.errors.AnsibleError: Vault password client script
> ../misc/vault-keyring-client.sh did not find a secret for
> vault-id=default: b'gpg: decryption failed: No secret key\n'

artafinde is our new newest Junior DevOp[1] and will get access to:
* monitoring.al.org: for setting up gitlab-exporter[1]
* gitlab.al.org: for setting up gitlab-exporter[1]
* dashboards.al.org: in case he wants to do more monitoring related
  stuff

[1] https://lists.archlinux.org/pipermail/arch-devops/2022-May/000558.html
[2] https://gitlab.archlinux.org/artafinde/gitlab-exporter/

Fix #452

- group_vars/all/vault_mariadb.yml: remove 'zabbix' database user
- misc/vaults/additional-credentials.vault: remove zabbix irc bot
- roles/dbscripts/tasks/main.yml: drop unused tier0 mirror access

The idea bebind this is to be able to give vault access to new DevOps
members without giving away more important credentials like Hetzner's.

New username; separate and longer account manager + storage passwords.

Also, have to use --remote-path=borg1 when interacting with rsync.net.

[1] https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/

We force delete in the signal handler as a graceful script execution
already deletes the file. This way we avoid any errors being wrongly
printed.

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>

Now that misc/get_key.py checks if the vault file passed to it exists,
we cannot pass paths only resolvable from the root directory. Instead,
use paths that make sense relative to the current directory and avoid
calling chdir when loading the vault file.

Fixes: 77542146 ("Rewrite get_key.py to use click instead of typer")

Fix #80