Onboard mh4ckt3mh4ckt1c4s as Junior PM

See merge request !870

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

vault: replace artafinde's RSA with ed25519 key

See merge request !871

https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/QSBPAWQGOT66VHP62ODTMLAICRTBUYP7/

Related to #625



Signed-off-by: Christian Heusel <christian@heusel.eu>

The default set is defective and only covers `twitter.com` and
`youtube.com/shorts`.

Take the [official list][1] and filter it to remove providers that
Synapse rejects.

[1]: https://oembed.com/providers.json

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Currently needs a hack in
/var/lib/synapse/matrix-appservice-irc/node_modules/matrix-appservice-bridge/lib/components/media-proxy.js
to replace the `"http"` require with `"https"` or the proxy won't work.

See: https://github.com/matrix-org/matrix-appservice-bridge/issues/507

Onboard anonfunc as Package Maintainer

Closes #595

See merge request !869

Anonfunc has been a Junior packager for longer then two months.

Fixes: https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/595

tf-stage1: Add HTTPS[1] DNS records for speeding up HTTP/3 negotiation

See merge request !867

This should have been added in the HTTP/3 commits[2][3], but it was my
understanding that it was not supported by Hetzner DNS. It apparently is
supported but not documented.

Cloudflare has a blog post[4] explaining how this speeds up HTTP/3
negotiation. Basically, the clients can connect over HTTP/3 right away,
rather than having to connect with an older protocol (probably HTTP/2 in
our case) and then upgrade to HTTP/3 (based on the Alt-Svc header).

Our domains are HSTS preloaded[1], so it would not speed up HTTPS
negotiation in most cases.

[1] https://datatracker.ietf.org/doc/html/rfc9460
[2] 8dfa7e8c ("nginx: Add plumbing for enabling HTTP/3 conditionally")
[3] 28e0f03c ("Enable HTTP/3 for {,aur.,wiki.}archlinux.org")
[4] https://blog.cloudflare.com/speeding-up-https-and-http-3-negotiation-with-dns
[5] https://hstspreload.org/

Ref #606

Update archmanweb to v1.12

Closes #622

See merge request !868

pkgbuild_org_a    -> pkgbuild_com_a
pkgbuild_org_aaaa -> pkgbuild_com_aaaa

Fixes: 0c976679 ("Deploy tempo")

Fix typos in firewalld and fail2ban roles

See merge request !828

CPX51 is a bit expensive (€54.4/mo) and based on performance monitoring
the CX52 should accomplish the same job at a much lower cost (€31.9/mo).

Switch from redis to valkey

See merge request !863

We do this since the redis package is soon to be deprecated:
https://lists.archlinux.org/archives/list/arch-dev-public@lists.archlinux.org/thread/2ERGX565GSSBUMADBG7DQJYNPJD5GUXD/



Signed-off-by: Christian Heusel <christian@heusel.eu>

The project access token expired ~3 months ago and the CI script has
just been switched to using a job token instead[1]. The project bot user
has zero activity so I decided to delete it.

[1] arch-boxes@afa85791

Fixes: 87b2eddf ("aurweb: enable goaurrpc metrics and dashboard")

We do not usually expose metrics publicly and there is no good reason
for handling aurweb differently.

Fixes: 74757d6b ("Scape aurweb metrics")

It seems to have broken with the release of filesystem 2021.12.07, which
incorporates this upstream change[1] in [2]. Please also see the
upstream issue[3].

I'm not sure why we used ansible_fqdn in the first place as
inventory_hostname should be preferred (as we define it ourselves).

[1] https://github.com/systemd/systemd/commit/ce266330fc3bd6767451ac3400336cd9acebe9c1
[2] archlinux/packaging/packages/filesystem@fc84245e
[3] https://github.com/systemd/systemd/issues/20358

Fixes: 8dfa7e8c ("nginx: Add plumbing for enabling HTTP/3 conditionally")

[1] https://github.com/prometheus/prometheus/commit/8fdfa52976ebb0c0594962fe4dac7605373fa638

We don't want these comments to be added to docs/ssh-known_hosts.txt.

From OpenSSH 9.8 release notes [1]:

 * ssh-keyscan(1): this tool previously emitted comment lines
   containing the hostname and SSH protocol banner to standard error.
   This release now emits them to standard output, but adds a new
   "-q" flag to silence them altogether.

[1] https://www.openssh.com/txt/release-9.8

It has been disabled client side since 7.0[1] (2015-08-11), server side
since 7.7[2][3] (2018-04-02), default DSA host key generation has been
disabled since 9.1[4] (2022-10-04) and with 9.8[5] (2024-07-01) DSA
support is disabled by default at compile time. In other words, DSA has
de facto been disabled (by default) for years.

From the 9.8 release notes[5]:
"OpenSSH plans to remove support for the DSA signature algorithm in
early 2025"

The DSA host keys have been removed on our servers by running[6]:
ansible all -a "rm /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub"

[1] https://www.openssh.com/txt/release-7.0
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=2662
[3] https://github.com/openssh/openssh-portable/commit/88c50a5ae20902715f0fca306bb9c38514f71679
[4] https://www.openssh.com/txt/release-9.1
[5] https://www.openssh.com/txt/release-9.8
[6] #596 (comment 203938)

Fix #596

Enable HTTP/3 for {,aur.,wiki.}archlinux.org

See merge request !850

They are our HTTP/3 guinea pigs for now. HTTP/3 has been enabled on
archlinux.org since 2024-07-22, so I do not expect any issues.

$http_host is changed to $host for aurweb, as HTTP/3 uses the
":authority" pseudo-header instead of the "Host" header[1][2].

[1] https://trac.nginx.org/nginx/ticket/2281
[2] https://mailman.nginx.org/pipermail/nginx-devel/2024-January/LCIUMLKCM2EBMEMTU3KXMW74AP2C4FYZ.html

Ref #606