It is cumbersome to manage the list configurations from the web ui and
easy for them to diverge, so let's instead manage them with Ansible.

Fix #254

The default of 0.5 has proven insufficient on at least 3 boxes so far.

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Otherwise it can't open our letsencrypt certs. It will setuid to
`turnserver` itself.

We get a lot of unauthorized STUN requests in the logs.

Fixes: 26f289b7 ("Capitalize the first letter of all task names")

This avoid having extra-long lines and works fine for task-based rules.

This might be a bug in ansible-lint 6.5.0, but it appears to ignore all
our 'skip_ansible_lint' tags. Fix this by replacing them with noqa tags.

ansible-lint 6.5.0 complains about:

  name: All names should start with an
        uppercase letter. (name[casing])

Useful if we wanted to create a Geo-based archive consisting of machines
in the archive_mirrors group (though this will likely not happen because
it'd break archlinux-repro due to the ~4 hour sync delay).

When the GeoIP databases get refreshed (weekly), we want PowerDNS to
reload them. Do this by running pdns_control reload in ExecStartPost.

"poetry run" is very slow[1] and adds +1 second to the startup time.
This is made even worse by the fact that aurweb-git-serve is called
twice by sshd[2].

[1] https://github.com/python-poetry/poetry/issues/3502
[2] https://security.stackexchange.com/questions/123795/authorizedkeyscommand-of-sshd-config-getting-called-twice/123801#123801

Microcode updates are not applicable to cloud servers.

http_requests_total  contains requests from debuginfo.al.org host
as well as from aur.al.org so filter them on job 'aurweb'

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

Using plain "borg" resolves to /usr/local/bin/borg which is the wrapper
for our main backup host. This causes the offsite backup to be executed
with BORG_REPO set to the main backup destination.

While the above doesn't cause any issues with the backup script/service,
because borg invocations specify the backup destination as an argument,
it's not ideal and/or correct. Adjust borg_cmd to include the full path
of /usr/bin/borg, thus removing any ambiguity.

rsync.net has upgraded to borg 1.2 and we can now run borg compact on
both rsync.net and the Hetzner storage box.

Fixes: 17927c9a ("borg_client: run compact after pruning on borg 1.2")

Update /etc/rebuilderd-sync.conf to use the Geo host mirror instead of
europe.mirror.pkgbuild.com (for added reliability in case the latter's
availability is impacted).

The /api/v0/build/report endpoint has received POSTs up to 161M so far
this year (2022). In 2021 there had been POSTs of sizes up to 404M and
up to 814M for 2020. Multiple hundreds of MB seem a bit excessive, but
we should be able to do up to 200M.

Remove a few stray TABs and correct double-indented lines.

Upstream archlinux-repro was already using europe.mirror.pkgbuild.com as
its bootstrap and regular mirror. Furthermore, since [1] it has switched
to the Geo mirror. Remove both vars from /etc/archlinux-repro/repro.conf
and use the default mirror values (which are more than suitable).

[1] https://github.com/archlinux/archlinux-repro/commit/c024b892d07a

Fixes: 68ec7871 ("aurweb: Mirror aur.git to GitHub[1]")

The burst size of 300 reportedly allows ~150 git operations. This might
not always be sufficient when installing a lot of packages from the AUR.

Specify a higher burst size to cover most legit use cases, even if this
makes us more susceptible to abuse.

"Disabling revoked keys in keyring" when running "pacman-key --populate"
is very slow (easily +20 seconds), in our case the boot is now ~27
seconds faster (tested on secure-runner1). The pacman master private key
is removed to prevent malicious actors from injecting packages, a new
key is generated by pacman-init.service on boot.

[1] https://archlinux.org/news/qemu-700-changes-split-package-setup/

Changes:
- Switch to arch-boxes' base image
- Verify the base image's signature
- Use the new "latest" symlink, instead of parsing the HTML for
  finding the latest arch-boxes image[1]
- Create the base image by using arch-chroot and friends, instead of
  creating a full-blown VM
- Create the VMs from domain XML template instead of virt-clone
- Switch mirror to geo.mirror.pkgbuild.com
- Try to follow "filesystem hierarchy" standards for where to place
  configuration (id_ed25519) and "vendor data" (arch-boxes.asc and
  domain_template.xml)
- Use a ed25519 key instead of RSA key
- Only start the "update base image" server if network and DNS are up
- Misc fixes and cleanups

[1] !552

Upstream now provides a solution for setting the "staging dir" for
fastzip[1].

[1] https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/3130