Commits · d4278dd87641cacc6549e0d0f8f5d1eadee56005 · Arch Linux / infrastructure

18 Sep, 2020 1 commit

Warn 25 days before certificate expires instead of 3 days before · d4278dd8

Kristian Klausen authored Sep 16, 2020 and

Sven-Hendrik Haase committed Sep 18, 2020

3 days is a bit too late. Certbot renews the certificate 30 days before,
so 25 days should be safe and shouldn't cause any "false positives" due
to transient errors.

d4278dd8

17 Sep, 2020 4 commits
- Remove retired mirror · d5f3586c
  Jelle van der Waa authored Sep 17, 2020
  
  d5f3586c
- Update file permissions to working permissions · 091a4fe5
  Jelle van der Waa authored Sep 17, 2020
```
/srv/http/archweb has to be readable for nginx to serve css/js static
assets.
```
  091a4fe5
- Update archweb to latest version · cd5ef816
  Jelle van der Waa authored Sep 17, 2020
  
  cd5ef816
- Add reverse DNS and DNS entries for svn2gittest vps · 18e8dcba
  Jelle van der Waa authored Sep 17, 2020
  
  18e8dcba
16 Sep, 2020 2 commits
- Merge branch 'fix-keycloak-theme-background-registration' into 'master' · 69f95b56
  Sven-Hendrik Haase authored Sep 16, 2020
```
Ensure the Keycloak custom theme background works in all login related pages

Closes #136

See merge request !83
```
  69f95b56
- Add extra selector to ensure custom background works in all login pages · 3760d5b8
  Ira ㋡ authored Sep 16, 2020
  
  3760d5b8
15 Sep, 2020 3 commits

Add arch-devops-private to devops onboarding · 058b5657
Jelle van der Waa authored Sep 15, 2020
```
Closes: #131
```
058b5657
Merge branch 'feature/kernel-sysctl-hardening' into 'master' · dd918741
Levente Polyak authored Sep 15, 2020
```
kernel: further default sysctl hardening

See merge request !81
```
dd918741

kernel: further default sysctl hardening · b2ba1877

Levente Polyak authored Sep 07, 2020

- unprivileged bpf: we do not need this on our infra, we can assume
  bpf() calls will happen with CAP_SYS_ADMIN if required.

- unprivileged userns: we do not need this on our infra for none of
  our services or similar. Reduce attack surface by a huge margin
  including most recent CVE-2020-14386.

- kptr restrict: we already check for CAP_SYSLOG and real ids but we
  really do not require any specific kernel pointers to be logged.
  Settings this to 2 instead to blank out all kernel pointers to
  protect against info leak.

- kexec: disable kexec as we do never want to kexec our running servers
  into something else. Settings this sysctl disables kexec even if its
  compiled into the kernel.

- bpf jit harden: harden BPF JIT compiler to mitigate JIT spraying for
  the sacrifices off a bit performance for all users including
  privileged.

b2ba1877

12 Sep, 2020 9 commits
- Monitor state,quassel with prometheus · 0d995b01
  Jelle van der Waa authored Sep 12, 2020
  
  0d995b01
- Allow network access for mariadb for prometheus · 8d8974a3
  Jelle van der Waa authored Sep 12, 2020
```
The prometheus-mysqld-exporter connects over localhost to collect
stats, so networking has to be enabled. mariadb's default is to serve on
0.0.0.0, so change the configuration to serve on localhost.
```
  8d8974a3
- Set innodb_buffer_pool_size to 1G for the aur · 49df3110
  Jelle van der Waa authored Sep 12, 2020
  
  49df3110
- Merge branch 'mariadb-defaults' into 'master' · 983562b0
  Jelle van der Waa authored Sep 12, 2020
```
Improve mariadb configuration

See merge request !79
```
  983562b0
- remove mariadb_innodb_buffer_pool_size from playbooks · 65522095
  Jakub Klinkovský authored Sep 05, 2020 and Jelle van der Waa committed Sep 12, 2020
```
The default value is 128M and our servers have plenty of RAM for that.
```
  65522095
- mariadb: bump mariadb_table_open_cache to the upstream default of 2000 · 13de2781
  Jakub Klinkovský authored Sep 05, 2020 and Jelle van der Waa committed Sep 12, 2020
```
The upstream default value is 2000 since 10.1.7:
https://mariadb.com/kb/en/server-system-variables/#table_open_cache

See also commit f164d000
```
  13de2781
- Add missing prometheus mysqld password to the vault · d81686a8
  Jelle van der Waa authored Sep 12, 2020
  
  d81686a8
- Add aur-dev and phrik.archlinux.org to prometheus monitoring · 5091b966
  Jelle van der Waa authored Sep 12, 2020
  
  5091b966
- Remove zabbix-agent role everywhere · 2be002b1
  Jelle van der Waa authored Sep 12, 2020
```
We switched for monitoring to prometheus so zabbix-agent is unwanted and
we don't want to accidently deploy it again.
```
  2be002b1
10 Sep, 2020 3 commits

Merge branch 'wiki_group_onboarding' into 'master' · 0a6a5703
Sven-Hendrik Haase authored Sep 10, 2020
```
Add Support Staff subgroups in Keycloak

See merge request archlinux/infrastructure!57
```
0a6a5703

Add a new Support groups · 76e334c6

Jelle van der Waa authored Aug 22, 2020

Expand the Support group with subgroups for the Wiki, Forum, Security
Tracker and Archweb. The subgroups are just a placeholder for groups for
the roles which a user can be in for the service. New onboarded users
should be assigned to correct groups for their Support staff team.

76e334c6

Add missing vault_monitoring file · d6aee90b
Jelle van der Waa authored Sep 10, 2020

d6aee90b

09 Sep, 2020 7 commits
- Merge branch 'grafana' into 'master' · 2f66c6b6
  Jelle van der Waa authored Sep 09, 2020
```
Grafana

See merge request !73
```
  2f66c6b6
- Automatically provision Grafana dashboards and datasources · 140d7d74
  Jelle van der Waa authored Aug 15, 2020 and Sven-Hendrik Haase committed Sep 09, 2020
  
  140d7d74
- Setup Oauth for Grafana · 7183361c
  Jelle van der Waa authored Jul 28, 2020 and Sven-Hendrik Haase committed Sep 09, 2020
```
Configure Grafana to use Keycloak OpenID Connect for authentication. For
now only DevOps is configured as admin and Arch Staff as general Viewer
roles.
```
  7183361c
- Set X-Forwarded-For header to show IP origin in grafana · 1dffa980
  Jelle van der Waa authored Jul 28, 2020 and Sven-Hendrik Haase committed Sep 09, 2020
```
To show the session IP address in /profile in Grafana the
X-Forwarded-For header has to be set.
```
  1dffa980
- Don't install grafana-zabbix anymore · 34943953
  Jelle van der Waa authored Jul 28, 2020 and Sven-Hendrik Haase committed Sep 09, 2020
```
As we are moving to prometheus it's no longer required.
```
  34943953
- Merge branch 'use-ipvs-from-hcloud' into 'master' · 9a096d9f
  Sven-Hendrik Haase authored Sep 09, 2020
```
Use IPs from Hcloud

See merge request !82
```
  9a096d9f
- Use IPs from Hcloud · 31ce038f
  Sven-Hendrik Haase authored Sep 09, 2020
```
Now that we manage DNS via Terraform and Hetzner DNS API, it makes sense to use the data provider from
hcloud to get the server IPs.
```
  31ce038f
08 Sep, 2020 7 commits
- Merge branch 'keycloak-webauthn' into 'master' · b2876d08
  Sven-Hendrik Haase authored Sep 08, 2020
```
Redo Keycloak flows and add WebAuthn support

Closes #28 and #112

See merge request !80
```
  b2876d08
- keycloak: Redo all flows · c1c24c5c
  Sven-Hendrik Haase authored Sep 06, 2020
```
We had to redesign all flows when discovering that we can't design flows exactly the way we wanted in Keycloak.
```
  c1c24c5c
- keycloak: Add fallthroughs to doc everywhere · 880a794a
  Sven-Hendrik Haase authored Sep 05, 2020
  
  880a794a
- keycloak: Force OTP Setup for staff and external contributors · 7ea76e73
  Kristian Klausen authored Jul 31, 2020 and Sven-Hendrik Haase committed Sep 08, 2020
```
Broken by the last commit
```
  7ea76e73
- keycloak: Enable WebAuthn · ef1e7b13
  Kristian Klausen authored Jul 31, 2020 and Sven-Hendrik Haase committed Sep 08, 2020
```
Registering a new required action is currently not supported, so it
needs to be done manually.
See upstream bug: https://github.com/mrparkers/terraform-provider-keycloak/issues/354

Configuring the WebAuthn policy is currently not supported, so it needs
to be done manully.
See upstream bug: https://github.com/mrparkers/terraform-provider-keycloak/issues/355

Fix #28
```
  ef1e7b13
- Comment out SOA entries for for now as we don't know how to manage those via Terraform · 9338427c
  Sven-Hendrik Haase authored Sep 08, 2020
```
See https://github.com/timohirt/terraform-provider-hetznerdns/issues/20 for reference.
```
  9338427c
- Merge branch 'manage-hetzner-dns-with-terraform' into 'master' · ae253f3f
  Sven-Hendrik Haase authored Sep 08, 2020
```
Start managing Hetzner DNS with Terraform

Closes #87

See merge request archlinux/infrastructure!62
```
  ae253f3f
07 Sep, 2020 1 commit
- Start managing Hetzner DNS with Terraform · 903adb38
  Sven-Hendrik Haase authored Aug 27, 2020
  
  903adb38
06 Sep, 2020 3 commits
- matrix: Update irc-bridge config from config.sample.yaml · dbbc9d44
  Jan Alexander Steffens (heftig) authored Sep 06, 2020
  
  dbbc9d44
- Merge branch 'prometheus_exporters' into 'master' · ff9358a9
  Jelle van der Waa authored Sep 06, 2020
```
Prometheus exporters

See merge request archlinux/infrastructure!72
```
  ff9358a9
- Add rebuilderd build queue length textcollector · cd4b2844
  Jelle van der Waa authored Aug 15, 2020
```
Record the rebuilderd queue length in prometheus so we can generate an
alert for when the queue length keeps rising. As this could be an
indication that the rebuilders have builds which are stuck.
```
  cd4b2844