Add monitoring for our PostgreSQL DB size using a similiar construct as
the MySQL DB size monitoring with a perl script.

Add a role for the hefur torrent tracker. A simple
service which runs on tracker.archlinux.org. Note that our setup
overrides a few things of the systemd service.
Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl>

This is mostly so that the roles runs OK and that we have every host in
there. This change only affects 2 unused pia machines. All other hosts
already set a template list.
Signed-off-by: Florian Pritz <bluewind@xinu.at>

This breaks firewalld for machines where this variable hasn't yet been
reconfigured. We don't need python2 anywhere so just get rid of this and
use the python3 default I put into another group var already.
Signed-off-by: Florian Pritz <bluewind@xinu.at>

This only changes the dns server of two unused PIA boxes. All other
machines were already configured like this.
Signed-off-by: Florian Pritz <bluewind@xinu.at>

It's just a cat and only populates the variable. No need to mark it
changed every time.
Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

We don't need resolved and it is sometimes buggy so let's just get rid
of it and use unbound like we do on our mail machines already.

Details: https://kanboard.archlinux.org/public/task/104/7dd7510424e4229247e8e0b90bf43e1553fce86cdf8475b60edc956ed5a8

Signed-off-by: Florian Pritz <bluewind@xinu.at>

luna runs hefurd

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Mount /usr, /etc read only, protect the /home, /tmp and kernel
directories. Also disallow privilige escalation.

Eli Schwartz authored Dec 14, 2018 and Florian Pritz committed Dec 14, 2018

When using restrictive sudoers profiles, the builtin mechanism for
whitelisting this variable on the sudo command line does not work.

Explicitly whitelist it anyway by matching on the ARCHBUILD role.

This hopefully allows users to use `passwd` to set a password which is
necessary for email.
Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Key resides on orion and is used to pull packages from soyuz and sgp.

[WARNING]: when statements should not include jinja2 templating
delimiters such as {{ }} or {% %}. Found: item not in "{{ arch_users }}"

Work key to soyuz because I sync my zsh/nvim/stuff config with it if I
can't reach my home network.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Add a playbook for our reproducible builds workers. Set's up a sudo user
so that an admin of the reproducible builds project can configure the
worker.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

These are required to be set when adding a new host.
Signed-off-by: Florian Pritz <bluewind@xinu.at>

This currently deploys the same configuration we used to have apart from
some '127.0.0.1' IPs for the agent IP, but those were incorrect anyways.
Signed-off-by: Florian Pritz <bluewind@xinu.at>

list
Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Some of our users have keys that they only want on a few machines and
reconfigure each time we deploy. Now we can configure and deploy such
keys.
Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Use TimeoutStopSec instead.