It's been running out of swap during borg-backup and seems to get good
compression ratios; try upping the zram size to 100% of RAM (from 50%).

Add fail2ban exporter

See merge request !457

The fail2ban exporter exports the amount of bans per jail.

hcloud_inventory: Optimize --list to avoid --host calls

See merge request !459

By adding a top-level element called "_meta" to the --list response,
Ansible will not call the inventory script with --host for each host
thus saving a lot of time and many requests to the Hetzner Cloud API.

The speed-up is significant; `ansible-inventory --list` is down from
about 1 minute to just 7 seconds in my testing (with ~60ms latency).

As per the following deprecation warning (even though it has a typo):

[DEPRECATION WARNING]: [defaults]callback_whitelist option, normalizing
names to new standard, use callback_enabled instead. This feature will
be removed from ansible-core in version 2.15.  Deprecation warnings can
be disabled by setting deprecation_warnings=False in ansible.cfg.

[1] https://github.com/ansible/ansible/pull/74845

zswap seems like the better choice when a backing swap partition exists.

Remove zram size limit and disable zswap when using zram

See merge request !458

When both zswap and zram are active, zswap sits in front of zram and
treats it as a backing store. We just want to use zram and not zswap
disguising itself as such; disable the latter so we can enjoy useful
zramctl statistics.

Implemented as tmpfiles.d/zram.conf which disables zswap at runtime.

Restarting swap.target doesn't apply configuration changes; instead we
can restart systemd-zram-setup@zram0 which seems to do what we wanted.

Set "max-zram-size = none" to disable this unwanted limitation which
defaulted to creating zram-based swap with a maximum size of 4096MiB.

Fixes: dc8fa2bd ("common: Replace deprecated systemd-swap[1] with zram-generator")

Redirect fail2ban log to SYSLOG

Closes #322

See merge request !456

The upstream branch is set by the earlier "git pull --set-upstream".

Ref #374

Onboard alerque as new TU

See merge request !449

Ref #373

Add a default rate limit for 20 req/s for the uwsgi endpoint and
automatically ban users who reach this limit. The nginx-limit-req rule
does not ban users who reach the rss limit as these are not likely DoS
attempts.

Mark "Free Space (Hetzner)" metric as instant for faster updates.

Extend onboarding by more explicit information

See merge request !418

.gitlab/issue_templates/Onboarding.md:
Create the ticket as confidential by default (using a short action).
Make the required information in the Details section more explicit and
add entries that are relevant when creating an SSO and/or archweb
account.
Add a note for sponsors of new users, so that they also add a
clearsigned version of the data they provide.
Add a dot at the end of each sentence.
Make the entries for mailing list operations more generic and rely on
the *communication e-mail address*, which may be the user's personal
mail address or a newly created @archlinux.org mail address.
Add warning message about creating a confidential ticket when providing
personal data.
Add checkbox to remind about the removal of personal information,
removal of description history and setting the ticket to be
non-confidential (if it has been confidential due to personal data).
Add checkbox that reminds setting the Team member username to the
@-prefixed username on gitlab (after the user has logged in).

prometheus_exporters: Improve arch-textcollector

See merge request !453

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

Add number of pacnew/pacsave files and print non explicit installed
optdepends as orphans as well.

archweb: Add robots.txt

Closes #358

See merge request !452

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

Closes #358

It confuses the users that the browser is caching them (due to
heuristic[1]).

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Caching#heuristic_freshness_checking

The port was removed in:
4729ba40 ("postfix: Remove special "fast-path" smtpd")

Avoid running backup-gitlab twice; reuse tarballs

See merge request !451

The official backup tool for GitLab takes many hours to run because it
puts everything inside tarballs and then gzips each one. It seems safe
and much more efficient to skip this step for the offsite backup while
reusing the tarballs generated by the first backup to the Storage Box.

Should save ~5 hours from the borg-backup-offsite.service execution.

No functional change; the "restrict" key option is a shorthand for:

- no-agent-forwarding
- no-port-forwarding
- no-X11-forwarding
- no-pty
- no-user-rc

It was added in OpenSSH 7.2 (2016-02-29) as a convenient way to specify
an authorized key should have "all current and future key restrictions"
applied to it.

It simplifies it a bit.