Robin Candau authored 3 months ago and Robin Candau committed 3 months ago

See https://github.com/ansible/ansible/pull/77644

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

We want to roll out HTTP/3 slowly, so this adds the necessary plumbing
and makes it possible to enable it per host.

Instead of adding the conditional logic to each nginx template, the 443
listen config is moved out into a snippet which is managed by the nginx
role.

HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and
therefore reuseport[1][2] must be used to ensure that UDP packets for
the same QUIC connection is directed to the same worker. reuseport can
only be enabled once, so a default_server is added to the
"inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for
the latter). ssl_reject_handshake[3] is enabled as that allows enabling
SSL/QUIC without specifying a certificate.

[1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
[2] https://lwn.net/Articles/542629/
[3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

Ref #606

F5/nginx has blogged about this[1] and it is also mentioned in nginx's
documentation[2]:
"There could be several add_header directives. These directives are
inherited from the previous configuration level if and only if there are
no add_header directives defined on the current level. "

The problem occurs when add_header is used in a child context like a
server{} or location{} block. It is solved by moving the HSTS header
into a snippet, which is now included before all add_header lines.

For now the HSTS header is the only global header, but in the future we
may need to add more global headers, like the Alt-Svc header[3] for
HTTP/3.

[1] https://www.f5.com/company/blog/nginx/avoiding-top-10-nginx-configuration-mistakes#directive-inheritance
[2] https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Alt-Svc

Fix #608

The module postgresql_privs deprected the "password" parameter in favour
of the "login_password" parameter, therefore replace accordingly.

https://github.com/ansible-collections/community.postgresql/blob/main/CHANGELOG.rst#id19

Fixes #603



Signed-off-by: Christian Heusel <christian@heusel.eu>

Archweb now exports Prometheus status via /metrics with request duration
information.

Using a cert named after the primary domain with `_legacy` appended.
However, the cert is only issued for the legacy domains, not the primary
domain.

Deploy for `ipxe.archlinux.org`.

Fixes: releng#22

They might conflict with the normal configuration, so we don't want
these redirects to get cached.

One year of mirrorlogs keeps a table of 5000 MB which is rather large as
we only show 7 days of logs. Keep it 6 months as maybe in the future
mirror operators are interested in older data.

Keep postgresql connections around for 5 minutes this avoids expensive
authentication requests.

planet.archlinux.org redirects to https://archlinux.org/planet which
then redirects to https://archlinux.org/planet/. Skip one extra
redirect.

This rate limits the endpoint which does things (ie. uwsgi). 10 requests
per second was already a lot, so 5 should be fine, realistically it can
go lower as we have a burst.

[1] c55b448c ("Add GitLab Pages for pacman")

This is by far our most popular endpoint and some folks hit us with one
request per 5 seconds which leads to 6GB of daily traffic. Rate limit
them the same as broken RSS readers.

In reality the uwsgi endpoint gets hit with only 1 request on a normal
page load so 20 requests is way to lenient.

Robin Candau authored 9 months ago and Robin Candau committed 9 months ago

> 2024/06/02 11:05:53 \[warn\] 30324#30324: the "listen ... http2" directive is deprecated, use the "http2" directive instead

Fixes #589

This is already done for the 'sudo' role, but we also have a few more
sudoers files which currently go in unverified.

Signed-off-by: Christian Heusel <christian@heusel.eu>

gcc is required by the zstandard Python package in order to build.

Fixes: 26f289b7 ("Capitalize the first letter of all task names")