- group_vars/all/vault_mariadb.yml: remove 'zabbix' database user
- misc/vaults/additional-credentials.vault: remove zabbix irc bot
- roles/dbscripts/tasks/main.yml: drop unused tier0 mirror access

The idea bebind this is to be able to give vault access to new DevOps
members without giving away more important credentials like Hetzner's.

These were previously removed temporarily and re-created several minutes
later during the process of deploying archusers to gemini.archlinux.org.

Add additional pubkey for dvzrv

See merge request !568

pubkeys/dvzrv.pub:
Add pubkey based on auth subkey of PGP key
`1793DAD5D803A8FFD7451697BB992F9864FAD168`.

geomirror: leverage LUA records for failover+GeoIP

See merge request !563

In an effort to stay consistent with the TTL used for the archlinux.org
and pkgbuild.com NS records, as well as slightly improve lookup latency.

PowerDNS provides a neat way to implement GeoIP-based redirection and
automatic failover. With GeoLite2-City database, it is able to select
the closest mirror from a list of IPs we provide. Every 60 seconds it
also checks if the mirror's HTTPS URL is working as expected; if that
check fails, it stops giving it out (this acts as automatic failover).

archbuild: Distribute CPU and IO resources equally among users

See merge request !564

archbuild: Turn off Git's safe.directory

See merge request !561

Without this setting, Git exits with an error when the repository is not
owned by the current user. This messes with our shared srcdest.

Packer bootstrap tweaks

See merge request !562

New hcloud adds protection fields to servers, volumes and floating IPs.

Since we are now using the local disk instead of a volume (which can be
scaled up easily) it helps to have a more consistent view of free space.

All database user passwords have been updated to use scram-sha-256, so
there's no need for backward compatibility with md5.

Also remove the suggestion to call delete_old_cluster.sh; it's now being
created under /tmp and it only contains a command to remove the old data
directory. (We can do the latter ourselves after some time has passed.)

Ensure the correct version is installed and matches $FROM_VERSION.

Commit 8f113698b63b15a4e0a4b15d3ee37238c1d1821d upstream:

  Remove analyze_new_cluster script from pg_upgrade

  Since this script just runs vacuumdb anyway, remove the script and
  replace the instructions to run it with instructions to run vacuumdb
  directly.

Not much point in vimdiff'ing pg_hba.conf and postgresql.conf.

Adapt upgrade_pg.sh to avoid manipulating /var/lib/postgres' structure
as the postgres user. Instead, create a new empty data directory owned
by postgres for initdb to use.

postgres: rebase config to postgresql 14.2-1

See merge request !560

Also alphabetically sort the servers in this group.

The default sslmode is require which doesn't protect against MITM
attacks (the certificate isn't verified). The different modes are
explained here [1].

[1] https://www.postgresql.org/docs/current/libpq-ssl.html

It was using a nonexistent target path when copying the renewed cert and
was not reloading postgresql.service in order for it to reload the certs.

matrix: use C locale for the synapse database

See merge request !559

Synapse needs the database to be in C locale. Since v1.56.0, it refuses
to start when this is not the case, see [upgrade.md][1].

[1]: https://github.com/matrix-org/synapse/blob/v1.56.0/docs/upgrade.md#change-in-behaviour-for-postgresql-databases-with-unsafe-locale

/srv/gitlab has been moved to local (NVMe SSD) storage; hopefully it
won't grow too large and thus require transferring back to a volume.