The RFC[1] recommends it and it seems to be best-pratice these days.

[1] https://tools.ietf.org/html/rfc7208

Document our fail2ban setup

See merge request !94

For all hosts we want to have a working fail2ban for sshd brute force
attempts through a group_vars/all. For some hosts an override is
required to enable postfix or dovecot jails.

Remove secure-runner2

See merge request !128

As it turns out, secure-runner2 isn't fast enough to serve as CI/CD and if we keep rescaling it to be
large enough, it'll be more expensive than secure-runner1 which is a lot faster. So, it'd be most
useful to just get rid of this VPS.

The idea is to cancel secure-runner1 and use secure-runner2 as the sole secure-runner as it should be fast enough.
We originally had secure-runner1 in hardware as we thought we needed KVM but as it turns out, qemu software emulation
via tcg is actually fast enough so that's what we're using now. That also menas that we can now use a cheap cloud
runner for everything.

We decommissioned kanboard in favor of GitLab.

Jelle van der Waa authored Oct 29, 2020 and Sven-Hendrik Haase committed Nov 02, 2020

The WKD webservice ran on orion, but as we want to retire it, we will
move it to it's own CX11 VPS. As it's just a simple web page.

Since rebuilderd-website now does cache busting by appending the version
in it's js/css file we can apply cache headers. Also remove the invalid
Feature-Policy header entry.

archweb: change keyserver to keyserver.ubuntu.com

See merge request !107

Filipe Laíns authored Oct 19, 2020 and Jelle van der Waa committed Oct 30, 2020

pgp.mit.edu is very slow and is often unreachable, keyserver.ubuntu.com
seems to be the only responsive server out there and is pretty complete,
let's use it instead.

Signed-off-by: Filipe Laíns <lains@archlinux.org>

Apparently our earlier permissions weren't enough.

Closes: #166

This personal access token is for automatically creating official Docker images and will be used via GitLab CI.

We want to periodically update it, not when we deploy the role :)

Add some recommended GitLab cleanup tasks (fixes #110)

Closes #110

See merge request !123

The idea is to make sure people don't blindly add cleanup tasks.

Update the ssh-known_hosts with the sorting fix applied, so the next
time it shouldn't change anymore.

Fix non-deterministic behavior of sync-ssh-hostkeys.yml

Closes #196

See merge request !124

Just in case, locales are complicated...

Fixes #196

Sometimes we'd get failures if files changed while backing them up.
See https://docs.gitlab.com/ee/raketasks/backup_restore.html#backup-strategy-option
for documentation on the fix.
This fixes #200.

use IPs for mail.archlinux.org in SPF record

See merge request !121

fix spf and mx record

See merge request !119

Not sure if this is relevant, but postfix only listens on IPv4. This is
what I just tested as working, so keep it this way.

Improve backup docs and add borg wrapper

Closes #56

See merge request !114

increase TTL to 600 after mail server migration

See merge request !118

Add mail.archlinux.org playbook

See merge request !112