Offboard coderobe as Package Maintainer

Closes #655

See merge request !912

Fixes #655

Signed-off-by: Christian Heusel <christian@heusel.eu>

aurweb: send traces to correct route for the otlp endpoint

See merge request !911

New aurweb release, deprecations and fix loops

See merge request !910

Relates to: 701c1d01

dbscripts: allow sourceballs to create a lockfile

See merge request !818

/srv/repos/lock is the lock file location configured via a dbscripts
config. Only accessible for users in junior-packager group, a lot better
would be if sourceballs could write a lock file into
/run/sourceballs.lck as it is unrelated to /srv/repos.

Since 257 DynamicUser sets PrivateTmp=disconnected making debuginfod
unable to read/write to /var/tmp/ properly  hampering debuginfod's
functioning.

You can't `systemctl reload debuginfod` after installing the systemd
unit we need a daemon-reload.

This was apparently hosted on the long gone "apollo" server[1], and when
archweb was migrated to a dedicated cloud VM, it was changed to a
redirect to the main site (archlinux.org)[2][3].

It may have made sense at the time, but now four years later there is no
reason for keeping this around.

I guess dev.archlinux.org was something similar to what pkgbuild.com is
today ("Public HTML server" for staff), but only for developers.

[1] f6c3af0e ("Merge branch 'apollo_decomission' into 'master'")
[2] 824fb084 ("tf-stage1/archlinux: Change DNS records for the archweb migration and also increase the machine size")
[3] 9800d023 ("roles/archweb: Create domain redirects for the domains that point to specific archweb sub urls.")

Update the bot user for the nvchecker project

See merge request !909

We have recently switched from a bot token to a fully fledged user.

Link: https://gitlab.archlinux.org/nvchecker


Signed-off-by: Christian Heusel <christian@heusel.eu>

Somehow these changes were not directly applied even though the role
reloads the prometheus config.

Fixes: 10475a62 ("prometheus: Alert if a build hosts is OOM for 12h")
Signed-off-by: Christian Heusel <christian@heusel.eu>

Fixes: 4159a61f ("dbscripts: switch to Git packaging")

prometheus: Move the OOM alert for build hosts to a longer timeframe

See merge request !908

Signed-off-by: Christian Heusel <christian@heusel.eu>

There is not much value in knowing when one of our build hosts has no
more memory left as all of them have plenty of swap available.
Additionally these rules trigger quite often even for short spikes.

Signed-off-by: Christian Heusel <christian@heusel.eu>

Fixes: c4f13d3a ("archweb: Redirect /pacman/ to new pacman subdomain[1]")

Fixes: 05028990 ("Adapt to new Hetzner plans[1] for lower cost and better specs!")

dovecot: Adapt mediator mailbox for new mediators

See merge request !904

Link: https://lists.archlinux.org/archives/list/staff@lists.archlinux.org/message/3JNJQJ7O3LBIXST2EFBCAKM2HCHXJZUM/


Signed-off-by: Christian Heusel <christian@heusel.eu>

archwiki: Update to 1.42.4-2

See merge request !901

Signed-off-by: Christian Heusel <christian@heusel.eu>

Postfix cleanup

Closes #365

See merge request !462

This was added more than 7 years ago[1] and has not been relevant for a
long time.

[1] d32ce421 ("postfix: Remove compat_maps")

Please see the reject_authenticated_sender_login_mismatch option[1] for
more details.

For now service accounts are not restricted in any way, this should be
improved in the further.

[1] https://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch

Fix #365

This removes unnecessary parameters, mostly for one of these reasons:
the value is already the default value, the default value is good
enough, or the parameter is not used in our case.

A bit of reordering/"tidying" was also done.

I think it was added to improve the mail reputation (avoid being
filtered as spam), but at lot has changed since it was added (+5 years
ago), so let's remove it.

Improve time robustness by switching to chrony, trustworthy time sources and NTS

See merge request !860

From chrony FAQ[1]:
"1.2. Should I prefer chrony over timesyncd if I do not need to run a
server?

Generally, yes.

systemd-timesyncd is a very simple NTP client included in the systemd
suite. It lacks almost all features of chrony and other advanced client
implementations listed on the comparison page. One of its main
limitations is that it cannot poll multiple servers at the same time and
detect servers having incorrect time (falsetickers in the NTP
terminology). It should be used only with trusted reliable servers,
ideally in local network.

Using timesyncd with pool.ntp.org is problematic. The pool is very
robust as a whole, but the individual servers run by volunteers cannot
be relied on. Occasionally, servers drift away or make a step to distant
past or future due to misconfiguration, problematic implementation, and
other bugs (e.g. in firmware of a GPS receiver). The pool monitoring
system detects such servers and quickly removes them from the pool DNS,
but clients like timesyncd cannot recover from that. They follow the
server as long as it claims to be synchronised. They need to be
restarted in order to get a new address from the pool DNS.

Note that the complexity of NTP and clock synchronisation is on the
client side. The amount of code in chrony specific to NTP server is very
small and it is disabled by default. If it was removed, it would not
significantly reduce the amount of memory or storage needed."

This commit fixes the issue by switching to a proper NTP client
(chrony), trustworthy time sources from Netnod and
Physikalisch-Technische Bundesanstalt which distributes the official
time for Sweden[2] and Germany[3] respectively, and finally NTS is used
to protect against MITM attacks.

Since most of our servers are in Germany or Finland (close to Sweden),
it makes sense to use these time sources as a low round-trip delay[4] is
preferred for NTP. For the few servers[5] we have outside Europe, the
root delay[4] will be higher than desired, but with the current use-case
for these servers, it should not be a problem.

[1] https://chrony-project.org/faq.html#_should_i_prefer_chrony_over_timesyncd_if_i_do_not_need_to_run_a_server
[2] https://www.netnod.se/swedish-distributed-time-service
[3] https://www.ptb.de/cms/en/ptb/fachabteilungen/abt4/fb-44/ag-442/dissemination-of-legal-time.html
[4] https://blog.meinbergglobal.com/2021/02/25/the-root-of-all-timing-understanding-root-delay-and-root-dispersion-in-ntp/
[5] {america,asia,sydney}.mirror.pkgbuild.com

Fix some inconsistencies in ansible playbooks / roles

Closes #541

See merge request !899