GitLab is configured to use OpenSearch from its admin panel[2].

[1] https://docs.gitlab.com/ee/user/search/advanced_search.html
[2] https://docs.gitlab.com/ee/integration/advanced_search/elasticsearch.html#enable-advanced-search

Fix #159

This variable is not referenced from anywhere (plus, it's obsolete).

Jelle van der Waa authored 1 year ago and Jelle van der Waa committed 1 year ago

This drops all svn specific functionality and switches to dbscripts git
version. Drops the community repository as it's merged into extra.

gitlab.archlinux.org's host SSH daemon now listens on port 2222. Adjust
the sync-ssh-hostkeys task to take this into account. Port 22 is for GL.

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

matrix.archlinux.org doesn't like it when accounts.archlinux.org is
unavailable at start-up. Try to work around this by upgrading
accounts.archlinux.org first and doing a health check before proceeding
to update the rest of the servers.

Fixes: #496

As announced on the mailing list[2] pacman has been migrated to gitlab
and there is no real use for patchwork left, so it can be
decommissioned. A static copy[1] is kept around for the time being to
avoid link rot.

[1] https://gitlab.archlinux.org/archlinux/patchwork-archive
[2] https://lists.archlinux.org/archives/list/arch-dev-public@lists.archlinux.org/message/7B6R5HVEC67U7B2VQ3SKUVXU4RDCRRMM/

Fix #487

This role will still handle setting up nginx and rsyncd, due to specific
configuration requirements these services have.

We're also effectively relieving build.archlinux.org of rsyncd duties as
it is not something it should be doing anyway.

Move the 'sshd_enable_includes' override to aur's host vars instead of
specifying it as part of playbooks/aur.archlinux.org. Otherwise, would
break the AUR's SSH auth if ssh.d/aurweb_config does not get included.

With the final lists migrated to mailman3[1], the mailman2 server can
finally be killed.

When the mailman3 server was initially setup[2], it was done on a
separate server because the mailman and mailman3 packages conflicted,
and the traffic was routed over wireguard (HTTP, LMTP and SMTP).

Instead of installing mailman3 on the original lists.al.org server and
transferring the data, it was easier just to install the missing pieces
(basically Postfix and adjusting the Nginx configuration) on the ml3
server and move the IPs (to keep the IP mail reputation).

So basically the following was done:
- The IPs for the original lists.al.org was moved to the mailman3.al.org
  server
- The mailman2 datadir was transferred to mailman3.al.org server, so we
  can keep the pipermail links alive, and import missing mails if needed
- The original lists.al.org server was decommissioned
- The mailman3.al.org server was renamed to lists.al.org
- The missing pieces was added to the mailman3 role (basically Postfix +
  Nginx adjustments)
- The mailman role was deleted and the mailman3 role renamed to mailman

[1] 75ac7d09 ("mailman: Fourth and final batch of mailman3 migrated lists")
[2] 9294828f ("Setup mailman3 server")

Fix #59

These roles are very similar and can be merged into a single new role.

Note: The archive mirror is changed from a 4-hour sync to minutely for
conformity with the other two mirrors. In practice this doesn't matter
as it was already taking over 4 hours to finish and was starting again
right after its previous run.

The Ansible output is too noisy with all the skipped tasks; avoid this
by moving host-speicific tasks into their own files that get included.

Going to be served by all our Geo boxes under riscv.mirror.pkgbuild.com.

Fixes: 26f289b7 ("Capitalize the first letter of all task names")

This avoid having extra-long lines and works fine for task-based rules.

ansible-lint 6.5.0 complains about:

  name: All names should start with an
        uppercase letter. (name[casing])

For some workloads running in a container is too restrictive, ex:
arch-boxes (loop device, filesystem mount, pacstrap) and archiso
(pacstrap). Currently they both run a TCG accelerated QEMU VM, which is
very slow and painful to work with. We should provide a better option to
our users!

This adds a hardware accelerated VM for this kinds of workloads, which
is way faster and you can do whatever you like (mostly)!

Fix #283

The glibc 2.35-6 package ships with the C.UTF-8 locale included which
means there is now a usable UTF-8 locale available by default.

en_US.UTF-8 will still be generated because PostgreSQL clusters are
created with that locale. Migrating the clusters to C.UTF-8 is
possible, but that requires dumping and recreating them.

Also tweak the documentation on rebuilderd workers and add runner1.

We do not really want to make all mirrors run mirrorcheck, so make it
conditional based on whether archweb_mirrorcheck_locations is defined.

The sshd role needs to open a firewall hole and will fail if firewalld
isn't present. Also place the wireguard role right after firewall role
because it is needed by promtail further down.

These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.

We want to migrate to mailman3 as mailman2 is basically unmaintained and
requires Python 2 which is EOL.

Because the mailman and mailman3 packages conflict and we don't want to
perform a big bang migration, mailman3 must be deployed on a separate
server. mailman-web (mailman3's web interface) hasn't been packaged yet,
so for now we are using my homebrewed PKGBUILD[1].

[1] https://gist.github.com/klausenbusk/5982063f95c503754a51ed2fefb8915e

Ref #59

The intention is to use this config for other domains besides a mirror.

- add the new role to redirect.archlinux.org
- release mirror.pkgbuild.com of all DNS duties

Bash histories indicate this isn't being used anywhere other than
{build,gemini}.archlinux.org and gemini's filelist is so big that
locate becomes so slow that it's practically useless on this box.

The idea bebind this is to be able to give vault access to new DevOps
members without giving away more important credentials like Hetzner's.

We don't want mirror.pkgbuild.com's DNS server to be a
single-point-of-failure, so this commit adds multiple authoritative DNS
servers for the zone. The extra DNS servers are run on the geomirror
servers.

The _acme-challenge zone, used for obtaining certificates, is run solely
on mirror.pkgbuild.com's DNS server, to avoid syncing DNS records
between the servers (KISS).

mirror.pkgbuild.com doesn't need it.

We had a GeoIP mirror in the past based on nginx and its GeoIP module,
but it didn't perform very well, due to the high latency (asking a
central server for the package and then redirected to the closest
mirror).

One of the reasons for offering this service, is so we can relieve
mirror.pkgbuild.com which is burning a ton of traffic (50TB/month),
likely due to it being the default mirror in our Docker image. Another
reason is so we can offer a link to our arch-boxes images in libosinfo
(used by gnome-boxes, virt-install and virt-manager), with good enough
performance for most users.

This time we take a different approach and use a DNS based solution,
which means the latency penalty is only paid once (the first DNS
request). The downside is that the mirrors must have a valid certificate
for the same domain name, which makes using third-party mirrors a
challenge. So for now, we are just using the sponsored mirorrs
controlled by the DevOps team.

Fix #101

With the PHP->Python port done[1][2], there isn't much need for aur-dev
anynmore. Most things can also be tested locally and aur-dev haven't got
any love since the port (ex: allowing the aurweb maintainers to deploy
without asking DevOps).

[1] https://lists.archlinux.org/pipermail/aur-general/2022-February/036786.html
[2] !525

- Create packer builder in FSN1 and change image to ubuntu-20.04
- Add "use_proxy: false" to provisioner config to work around [1]
- Reduce the size of the BIOS boot partition to 1M (from 10M) [2]
- Update bootstrap_version to 2022.03.01

[1] https://github.com/hashicorp/packer-plugin-ansible/issues/69
[2] https://www.gnu.org/software/grub/manual/grub/html_node/BIOS-installation.html

Avoid updating the cache in the same task w/ the upgrade as the former
causes the combined task to always return changed=True. For up-to-date
hosts, stop early instead of following through to the end and skipping
the final reboot task.

Before Ansible 5.4.0, combined cache update + package upgrade would not
always return changed=True but instead depended on whether the were any
packages to upgrade.