C.UTF-8 is installed by default, so we can avoid messing with locale-gen
by using that.

All the postgres servers (excluding matrix due to[1]) have been migrated
with the following commands:
# sudo -u postgres pg_dumpall > d
# sed "s/LOCALE = 'C'/LOCALE = 'C.UTF-8'/" -i d
# systemctl stop postgresql.service
# mv /var/lib/postgres/data{,.old}
$ ansible-playbook --diff -t postgres playbooks/<host>.yml
# sudo -u postgres psql < d

[1] https://github.com/matrix-org/synapse/blob/19a57f4a3710d6c3f7cc9d031e0e59bc2ed3b052/docs/postgres.md#fixing-incorrect-collate-or-ctype

Fix #470

Using an inline statement eats the blank line after it; to overcome this
switch to an inline expression, which also happens to be easier to read.

- enable_gzip: grafana listens on localhost, nginx handles compression
- admin_user: initial admin creation is disabled in our config
- strict_transport_security: the same header is set by nginx
- strict_transport_security_max_age_seconds: unused without the above

- common: for deciding when to install/configure smartmontools
- install_arch: installing ucode update only on physical hosts

On asia.mirror.pkgbuild.com, 'smartctl -a --json $disk' has been exiting
with code 64. From smartctl(1) code 64 corresponds to "Bit 6: The device
error log contains records of errors". Since we're not interested in old
errors, ignore it.

This has become outdated (missing new dedicated servers) and its usage
can be replicated by checking if ansible_virtualization_role == "host".

For Ansible ad hoc commands, '!hcloud' can be used to the same effect.

Bots are joining earlier and waiting a day before spamming.

Mario Oenning authored 2 years ago and Mario Oenning committed 2 years ago

* Show totals for the last 24 hours (instead of all time)
* Add total search requests pie chart

Signed-off-by: moson-mo <mo-son@mailbox.org>

Wiki says "Do not download it from a mirror" and it sounds more secure.

Fixes: 503b08db ("install_arch: verify bootstrap image signature")

Symlinking home.json to archive.json causes a duplicate, as both
dashboards have the same uid, and Grafana won't keep the dashboards
updated when there are duplicates[1]. Instead just change
default_home_dashboard_path to point to the archive.json dashboard.

[1] "dashboards provisioning provider has no database write permissions
     because of duplicates"

Matt Nelson authored 2 years ago and Evangelos Foutras committed 2 years ago

Fixes #458.

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>
Co-authored-by: Kristian Klausen <kristian@klausen.dk>
Co-authored-by: moson-mo <mo-son@mailbox.org>

3690/tcp -> svn

The nginx role already enables the http and https services.

4242/tcp -> quassel
 113/tcp -> ident

51820/udp -> wireguard

WireGuard was setup to provide a internal network with confidentiality,
authenticity and integrity[1]. This migrate the remaining Prometheus
exporters to use the internal WireGuard network.

[1] 664deb67 ("WireGuard all hosts")

Fix #384

Expose aurweb RPC using goaurrpc to reduce the load on the server.
Additionally we can now geo-serve this ro reduce load and bandwidth.

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Kevin Morris authored 2 years ago and Leonidas Spyropoulos committed 2 years ago

This commit brings in four new routes to nginx:
- /archives/metadata.git
- /archives/users.git
- /archives/pkgbases.git
- /archives/pkgnames.git

See https://gitlab.archlinux.org/archlinux/aurweb/-/blob/master/doc/git-archive.md



For now, we will be updating the repositories once every 10 minutes.

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>
Co-signed by:  Kevin Morris <kevr@0cost.org>

group_vars/all was enabling just the sshd jail so move this into the
fail2ban role defaults. patchwork, security and wiki were redefining
fail2ban_jails without deviating from the group_vars/all default and
can therefore be dropped.

I have needed to use compsize on multiple occasions, and thus had to
temporarily install it. As it is already installed on 9 machines and
is generally useful, make it part of the standard tool set for btrfs.

The traffic hitting ping.archlinux.org has lately been exhausting its
default nf_conntrack_max limit of 64k. Bump it to 256k (which is also
the default limit found on systems with more than 4G of memory).

Suggested-by: Kristian Klausen <kristian@klausen.dk>

With the final lists migrated to mailman3[1], the mailman2 server can
finally be killed.

When the mailman3 server was initially setup[2], it was done on a
separate server because the mailman and mailman3 packages conflicted,
and the traffic was routed over wireguard (HTTP, LMTP and SMTP).

Instead of installing mailman3 on the original lists.al.org server and
transferring the data, it was easier just to install the missing pieces
(basically Postfix and adjusting the Nginx configuration) on the ml3
server and move the IPs (to keep the IP mail reputation).

So basically the following was done:
- The IPs for the original lists.al.org was moved to the mailman3.al.org
  server
- The mailman2 datadir was transferred to mailman3.al.org server, so we
  can keep the pipermail links alive, and import missing mails if needed
- The original lists.al.org server was decommissioned
- The mailman3.al.org server was renamed to lists.al.org
- The missing pieces was added to the mailman3 role (basically Postfix +
  Nginx adjustments)
- The mailman role was deleted and the mailman3 role renamed to mailman

[1] 75ac7d09 ("mailman: Fourth and final batch of mailman3 migrated lists")
[2] 9294828f ("Setup mailman3 server")

Fix #59

These roles are very similar and can be merged into a single new role.

Note: The archive mirror is changed from a 4-hour sync to minutely for
conformity with the other two mirrors. In practice this doesn't matter
as it was already taking over 4 hours to finish and was starting again
right after its previous run.

Ordering "when:" before "block:" makes it more readable I suppose.

Using templates anywhere but the end of the name makes grepping for
errors more difficult.