Fixes: 26f289b7 ("Capitalize the first letter of all task names")

ansible-lint 6.5.0 complains about:

  name: All names should start with an
        uppercase letter. (name[casing])

These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.

Fix #392

Fix #177

The role for the clients is named postfix_null (per [1]) and it's much
simpler and cleaner than the postfix role. I hope can cleanup the
postfix role at a later date.

[1] http://www.postfix.org/STANDARD_CONFIGURATION_README.html#null_client

This is meant as a internal authenticated and encrypted network which we
can use for internal services, we don't want to expose to the internet
or when encryption is desired but not easily implementable.

Kristian Klausen authored 4 years ago and Jelle van der Waa committed 3 years ago

Fix #263

yaml: truthy value should be one of [false, true] (truthy)
yaml: wrong indentation: expected 4 but found 2 (indentation)
yaml: too few spaces before comment (comments)
yaml: missing starting space in comment (comments)
yaml: too many blank lines (1 > 0) (empty-lines)
yaml: too many spaces after colon (colons)
yaml: comment not indented like content (comments-indentation)
yaml: no new line character at the end of file (new-line-at-end-of-file)
load-failure: Failed to load or parse file
parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.

The former approach to export a maildir and iterate over it with a
script broke when the mail server and the web server got on their
own hosts. This will use IMAP IDLE to check for new mails and pass
them instantly to the djange manage.py script without storing the mail
locally.

Added a host_var file for archlinux.org as well as the playbook for archlinux.org
machine. It it's a stripped down version of apollo's playbook, only containing the roles
pertaining archweb.

Fix #213

Zabbix has been replaced by Prometheus for monitoring our services.

Jelle van der Waa authored 4 years ago and Jelle van der Waa committed 4 years ago

Orion has been replaced by gemini and for mail by mail.archlinux.org

Kristian Klausen authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

Switching to Rspamd has some advantages:
* It is probably faster than SA[1] (C + Lua vs Perl)
* We can reduce the number of moving parts. Rspamd has built-in DKIM
  signing, greylisting, DMARC checking to name a few
* It doesn't just mark the mail as spam/not-spam, it gives every mail a
  score and depending on the score it does either: nothing, greylist it,
  mark it as spam or reject it[2] (more actions is available and it can
  be tweaked)
* Replies whitelisting[3]
* It supports ARC signing, which can be useful
* A cool looking WebUi :)
* ... and more[4]...

[1] https://rspamd.com/doc/tutorials/migrate_sa.html#why-migrate-to-rspamd
[2] https://rspamd.com/doc/faq.html#what-are-rspamd-actions
[3] https://rspamd.com/doc/modules/replies.html
[4] https://rspamd.com/comparison.html

Jakub Klinkovský authored 4 years ago and Jelle van der Waa committed 4 years ago

The default value is 128M and our servers have plenty of RAM for that.

Jakub Klinkovský authored 4 years ago and Jelle van der Waa committed 4 years ago

The upstream default value is 2000 since 10.1.7:
https://mariadb.com/kb/en/server-system-variables/#table_open_cache

See also commit f164d000

gemini

Jelle van der Waa authored 5 years ago and Jelle van der Waa committed 5 years ago

Archweb now supports a planet alternative and the old planet software
was Python2 and not maintained anymore.

Remove the flyspray role from apollo. There are still leftovers and nginx
is configured to reply with the maintenance mode, in case someone tries to
access flyspray through apollo.

playbooks/apollo: Split the security tracker role into multiple lines and add the nginx configuration
roles/security_tracker: Plug in the maintenance mode

Switch from apcu caching to memcached with 512 MiB so that we have a
sustained cached instead of a php-fpm worker based cache which has a
shorter lifetime of 2000 requests before the worker get's killed and
respawned.

With apcu caching the wiki get's ~ 40 req/s more and the latency of the
wiki lowers.

This bans all requests exceeding 1/min in a time period of 30 minutes.
This might be too harse and can be adjusted later.

Create a new role for our conf.archlinux.org website which is a static
website generated by hugo

Signed-off-by: Florian Pritz <bluewind@xinu.at>

luna runs hefurd

- firewall tag so that the facts exist when only firewall is run
- extract IPs from our host vars all the time. no need to query
autodetected facts
- remove empty elements from the list with select(). not all hosts have
ipv6
- fix the subnetmask for v6
- fix the postgres role configuring a v4 rule instead of v6 for a v6
address
- hardcode netmask for orion addresses too

Little bit much for one commit, but splitting it doesn't make a whole
lot of sense.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

we have to use rich rules in firewalld to restict a specific port to a list of
specific ip addresses. when using rich rules, you have to specify the address
family (ipv4 or ipv6) which we can't do in an automated fashion with the ipv4
and ipv6 addresses of the clients dynamically generated into a single variable.
so this commit creates 2 variables; one for ipv4 clients and one for ipv6
clients which can be referred to as required when creating the rich rules.