Bump pacman version

See merge request !333

Monitor remaning (mta-sts +  openpgpkey + repos + static.conf) and recently added services (ping + md)

See merge request !324

Kristian Klausen authored 4 years ago and Frederik Schwan committed 4 years ago

This is a partial "revert" of: 01b2b5b2 ("Remove non 200-399 status code domains")

role(postfix): remove export-grade dh params

See merge request !332

George Rawlinson authored 4 years ago and Frederik Schwan committed 4 years ago

According to upstream documentation[0], the configuration parameter
smtpd_tls_dh512_param_file will be ignored from the next release of
Postfix (3.6).

[0]: http://www.postfix.org/postconf.5.html#smtpd_tls_dh512_param_file

It was getting very cramped with only a few MBs left. It appears currently we only get about 6 months worth of data out of 20G
so 100G seems reasonable.

arch_boxes_sync: Handle delay between release and artifacts being ready gracefully

See merge request !330

The releases are released/tagged and then built, so there is a delay
between releasing a release and the artifcats being ready, we should
handle that gracefully.

prometheus_exporters: fix permissions of blackbox.yml

See merge request !329

Yaml is not executable.

ci: Install ansible so ansible-lint can resolve the modules

See merge request !331

ansible-lint no longer depends on ansible[1][2] which causes it to fail
with: syntax-check: couldn't resolve module/action 'pacman', as the
modules is part of ansible and not ansible-base.

[1] https://bugs.archlinux.org/task/69920
[2] https://github.com/archlinux/svntogit-community/commit/a3ccb42b8dc104a4616a64fac4a1f6dd44ffedca

Disallow changing of the Gitlab username

See merge request !328

As keycloak is the canonical source of truth and interacting with gitlab
usually requires the username as identifier. As we don't want to
accidently assign permissions to a changed username disallow changing of
usernames altogether in Gitlab.

For symmetry with synapse-worker@.service.

To prevent mjolnir from failing.

Borg backup check

See merge request !322

Now that our textcollector depends on the condition of /backup being
available, we should be extra careful that we get rid of the directory.
If anything in the script fails, a trap now umounts and removes the
directory automatically if on btrfs.being available, we should be extra
careful that we get rid of the directory. If anything in the script
fails, a trap now umounts and removes the directory automatically if on
btrfs.

Currently our textcollector can sometimes fail with 'Failed to
create/acquire the lock /home/backup/$server/lock.exclusive (timeout)."
Instead of checking on a borg lock file, check if our backup snapshot
dir exists which the backup script creates and removes. This should give
less false positives then our current method.

Rate limit our archweb RSS feeds

See merge request !319

Cache urls which urls marks as can be cached by nginx. This offloads our
uwsgi workers and allows for speedier delivery of RSS feeds and other
cached routes.

Due to users misconfiguring their conky to query for rss updates every
second add proper rate limitting to all rss endpoints in nginx.

The websocket support always 400'd as upgrade headers where missing for
/socket.io

arch_boxes_sync: Override the "latest" link instead of following it

See merge request !318

Configure network correctly for Kape servers

See merge request !320

Previously we configured our network conf to all interfaces, which
shouldn't be done as not all our routed to the internet and this causes
systemd-network-online target to fail.

Update ServiceDown rule to 10 minutes from 5 min.

See merge request !321