Robin Candau authored 3 months ago and Robin Candau committed 3 months ago

See https://github.com/ansible/ansible/pull/77644

We want to roll out HTTP/3 slowly, so this adds the necessary plumbing
and makes it possible to enable it per host.

Instead of adding the conditional logic to each nginx template, the 443
listen config is moved out into a snippet which is managed by the nginx
role.

HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and
therefore reuseport[1][2] must be used to ensure that UDP packets for
the same QUIC connection is directed to the same worker. reuseport can
only be enabled once, so a default_server is added to the
"inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for
the latter). ssl_reject_handshake[3] is enabled as that allows enabling
SSL/QUIC without specifying a certificate.

[1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
[2] https://lwn.net/Articles/542629/
[3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

Ref #606

Robin Candau authored 9 months ago and Robin Candau committed 9 months ago

> 2024/06/02 11:05:53 \[warn\] 30324#30324: the "listen ... http2" directive is deprecated, use the "http2" directive instead

Fixes #589

Arch's postfix 3.9.0-1 package removes support for BDB hash: and btree:
database types, and switches the default to LMDB. [1]

[1] archlinux/packaging/packages/postfix@2ebb2274

Some of the mails generated by gitlab are way bigger than 200KB, e.g.
this[1] Thunderbird package bump resulting in a 850KB mail. So bump t0
1000KB for now and see if it is enough.

[1] archlinux/packaging/packages/thunderbird@3da91c6e

ansible-lint 6.19.0 started complaining about this:

   schema[tasks]: 'become_method' must be one of the currently available
   values: ansible.builtin.runas, ansible.builtin.su,
           ansible.builtin.sudo, ansible.netcommon.enable,
           community.general.doas, community.general.dzdo,
           community.general.ksu, community.general.machinectl,
           community.general.pbrun, community.general.pfexec,
           community.general.pmrun, community.general.sesu,
           community.general.sudosu, containers.podman.podman_unshare

We have had bruteforce attempts to perform SQL injections on the signup
page. To get rid of the alerts, let's rate limit this properly.

It was brought to our attention by @foxboron, that arch-security is
misconfigured. It should only accept mails from members of the Arch
Security Team.

It is unclear if the list has always been misconfigured or if it
happened as part of mailman2 -> mailman3 migration.

Add "noqa no-changed-when" tags to handlers using the command module.
Perhaps it is wrong of ansible-lint to flag these, since handlers are
not the best place to have conditional execution.

Liberally add "noqa no-changed-when" tags to the problematic tasks,
except for two "systemd-tmpfiles --create" calls. For these we can
simply include the creates= parameter in the command module's call.

The bug[1] would explain all the bounces and unsubscriptions, so patch
it manually until upstream gets it sorted.

[1] https://gitlab.com/mailman/mailman/-/issues/636

All lists expect arch-mirrors-announce and aur-requests[1] require the
user to be a member before they can post. Moderating mails from
nonmembers are a lot of work and most of the mails are spam, so let's
just reject them. Mails to arch-mirrors-announce and aur-requests from
nonmembers will still be checked manually, as you aren't required to be
subscribed[1].

[1] https://wiki.archlinux.org/index.php?title=General_guidelines&oldid=750602#Reply_to_the_mailing_list

mkinitcpio moved from GitHub to gitlab.archlinux.org.
See #474.

SQLAlchemy 1.4 no longer accepts engine URLs of the form postgres://.

https://docs.sqlalchemy.org/en/20/changelog/changelog_14.html#change-3687655465c25a39b968b4f5f6e9170b

With the final lists migrated to mailman3[1], the mailman2 server can
finally be killed.

When the mailman3 server was initially setup[2], it was done on a
separate server because the mailman and mailman3 packages conflicted,
and the traffic was routed over wireguard (HTTP, LMTP and SMTP).

Instead of installing mailman3 on the original lists.al.org server and
transferring the data, it was easier just to install the missing pieces
(basically Postfix and adjusting the Nginx configuration) on the ml3
server and move the IPs (to keep the IP mail reputation).

So basically the following was done:
- The IPs for the original lists.al.org was moved to the mailman3.al.org
  server
- The mailman2 datadir was transferred to mailman3.al.org server, so we
  can keep the pipermail links alive, and import missing mails if needed
- The original lists.al.org server was decommissioned
- The mailman3.al.org server was renamed to lists.al.org
- The missing pieces was added to the mailman3 role (basically Postfix +
  Nginx adjustments)
- The mailman role was deleted and the mailman3 role renamed to mailman

[1] 75ac7d09 ("mailman: Fourth and final batch of mailman3 migrated lists")
[2] 9294828f ("Setup mailman3 server")

Fix #59

All lists have been migrated to mailman3[1] and mailman3 is what users
should use, so show its interface by default and not the mailman2
interface.

[1] 75ac7d09 ("mailman: Fourth and final batch of mailman3 migrated lists")

arch-general
aur-general
aur-requests

It has been decided not to migrate the following unlisted and unused
lists:
arch-magazine
arch-notifications
arch-test
mailman

arch-commits
arch-security
aur-dev
pacman-contrib
pacman-dev

Fixes: 26f289b7 ("Capitalize the first letter of all task names")

ansible-lint 6.5.0 complains about:

  name: All names should start with an
        uppercase letter. (name[casing])

These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.

arch-dev
arch-devops
arch-dev-public
arch-mirrors
arch-mirrors-announce
arch-multilib
arch-ports
arch-proaudio
arch-projects
arch-releng
arch-tu
arch-women
staff

arch-announce
arch-devops-private
arch-events
arch-wiki-admins

We want to migrate to mailman3 as mailman2 is basically unmaintained and
requires Python 2 which is EOL.

Because the mailman and mailman3 packages conflict and we don't want to
perform a big bang migration, mailman3 must be deployed on a separate
server. mailman-web (mailman3's web interface) hasn't been packaged yet,
so for now we are using my homebrewed PKGBUILD[1].

[1] https://gist.github.com/klausenbusk/5982063f95c503754a51ed2fefb8915e

Ref #59

It has been killed by systemd-oomd a few times recently and we don't
want to start it manually every time it happens.

It confuses the users that the browser is caching them (due to
heuristic[1]).

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Caching#heuristic_freshness_checking

The DNS is still pointing to luna.

The redirects are now done by the `redirects` role.

Kristian Klausen authored 4 years ago and Jelle van der Waa committed 3 years ago

A extra access_log entry was added with the following commands:
$ cd roles
$ grep -lr access_log | xargs -P 1 -n 1 sed -i '/access_log/ s/\(.*\)\( \)\(\(reduced\|main\);$\)/\1 \3\n\1.json json_\3/'

yaml: truthy value should be one of [false, true] (truthy)
yaml: wrong indentation: expected 4 but found 2 (indentation)
yaml: too few spaces before comment (comments)
yaml: missing starting space in comment (comments)
yaml: too many blank lines (1 > 0) (empty-lines)
yaml: too many spaces after colon (colons)
yaml: comment not indented like content (comments-indentation)
yaml: no new line character at the end of file (new-line-at-end-of-file)
load-failure: Failed to load or parse file
parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.

https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#taxing-rewrites

For proxy/fastcgi/uwsgi blocks, logging is still set to the old format,
but for everything else (= static data) a reduced format is used that
excludes items that no longer make sense (request_time, remote_user) and
those that are personal information all the time (remote_addr, http_x_forwarded_for).

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Signed-off-by: Florian Pritz <bluewind@xinu.at>