The key is used for signing the releases, so the users can be sure the
images on the mirrors haven't been modified. arch-boxes has been tweaked
to use the key in this MR[1].

[1] arch-boxes!176

Renovate is a tool for: "Automated dependency updates. Multi-platform
and multi-language."[1].

We require all commits pushed directly to official projects to be
signed, so a master key and signing key have been generated for
Renovate. Both keys are stored in renovate.asc and Renovate only has
access to the signing key.

[1] https://github.com/renovatebot/renovate

Fixes: 511b6ca4 ("misc/vault-keyring-client.sh: add flock workaround")

We want non-DevOps to be able to deploy project documentation (ex:
repod) with GitLab Pages and a separate domain was considered the only
sensible solution due to security issues[1].

[1] https://github.blog/2013-04-09-yummy-cookies-across-domains/

- IPMI credentials for luna.archlinux.org
- Entry with no credentials for PIA boxes

We want to deploy project documentation (ex: repod) with GitLab Pages
and due to security concerns[1], they should be deployed on a separate
domain.

Hetzner's Registration Robot[2] only supports a few TLDs and all the
good names have already been taken, and therefore we need a new domain
registrar. SPI has a partnership with Gandi, so Gandi it is.

[1] https://www.hetzner.com/registrationrobot
[2] https://github.blog/2013-04-09-yummy-cookies-across-domains/

roles/prometheus/defaults/main.yml used to include a comment with the
commands used to generate a list of HTTPS endpoints to check. Move it
into a proper script and fix it to generate the correct current list.

Extend the removal of the dashes from unencrypted YAML documents to
encrypted ones as well.

Fixes: a9e0790f ("Remove the three dashes from all YAML documents")

Vagrant Cloud has been used for years by arch-boxes[1] for publishing
Vagrant boxes. Access to the organization[2] was handed out to a few
members of the DevOps team and the creator of the organization
(arch-boxes maintainer at the time).

With this commit the control of the organization is handed over to the
DevOps team through a new Vagrant Cloud account.

[1] https://gitlab.archlinux.org/archlinux/arch-boxes
[2] https://app.vagrantup.com/archlinux/

Otherwise running terraform under tf-stage2 will often fail with:

> ansible.errors.AnsibleError: Vault password client script
> ../misc/vault-keyring-client.sh did not find a secret for
> vault-id=default: b'gpg: decryption failed: No secret key\n'

artafinde is our new newest Junior DevOp[1] and will get access to:
* monitoring.al.org: for setting up gitlab-exporter[1]
* gitlab.al.org: for setting up gitlab-exporter[1]
* dashboards.al.org: in case he wants to do more monitoring related
  stuff

[1] https://lists.archlinux.org/pipermail/arch-devops/2022-May/000558.html
[2] https://gitlab.archlinux.org/artafinde/gitlab-exporter/

Fix #452

- group_vars/all/vault_mariadb.yml: remove 'zabbix' database user
- misc/vaults/additional-credentials.vault: remove zabbix irc bot
- roles/dbscripts/tasks/main.yml: drop unused tier0 mirror access

The idea bebind this is to be able to give vault access to new DevOps
members without giving away more important credentials like Hetzner's.

New username; separate and longer account manager + storage passwords.

Also, have to use --remote-path=borg1 when interacting with rsync.net.

[1] https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/

We force delete in the signal handler as a graceful script execution
already deletes the file. This way we avoid any errors being wrongly
printed.

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>

Now that misc/get_key.py checks if the vault file passed to it exists,
we cannot pass paths only resolvable from the root directory. Instead,
use paths that make sense relative to the current directory and avoid
calling chdir when loading the vault file.

Fixes: 77542146 ("Rewrite get_key.py to use click instead of typer")

Fix #80

Typer doesn't work with Click 8[1].

[1] https://github.com/tiangolo/typer/issues/280

Apparently our earlier permissions weren't enough.

This personal access token is for automatically creating official Docker images and will be used via GitLab CI.

https://lists.archlinux.org/pipermail/arch-devops/2020-June/000424.html

We now have a status.archlinux.org page that's on uptimerobot and it monitors a few
of our services. Added the credentials for that service on the vault.