.gitlab/issue_templates/Onboarding.md

@@ -2,14 +2,32 @@
 This template should be used for onboarding new Arch Linux team members.
 It can also be used as a reference for adding new roles to an existing team member.
 -->
+/confidential
+<!--
+NOTE: Do not remove the above short actions.
+They ensure that the ticket is created confidential and that personal
+information is not publicly visible.
+-->
 
 # Onboarding an Arch Linux team member
 
 ## Details
 
-- **Team member username**:
+- **Team member username**: <!-- Used for SSO account and @archlinux.org e-mail address -->
 - **Application**: <!-- Add link to relevant mailing list mail -->
-  - **Voting result**: <!-- Add link to relevant mailing list mail -->
+- **Voting result**: <!-- Add link to relevant mailing list mail -->
+- **SSH public key**: <!-- Add this when a user's access to machines is added or updated -->
+- **Full Name**: <!-- Relevant for all new users -->
+- **Personal e-mail address**: <!-- Relevant for users who will get a new archweb and/or SSO account -->
+- **PGP key ID used with personal e-mail address**: <!-- Relevant for users who will get a new archweb account -->
+- **Communication e-mail address**: [arch, personal] <!-- Relevant for users who will be signed up to mailing lists. Either choose "arch" or "personal". -->
+
+<!--
+NOTE: When creating this ticket as the sponsor for a new trusted user or
+support staff member, attach the above information as a clearsigned document to
+this ticket.
+https://www.gnupg.org/gph/en/manual/x135.html
+-->
 
 ## All roles checklist
 The mailing list password can be found in misc/additional-credentials.vault.
@@ -17,20 +35,24 @@ The mailing list password can be found in misc/additional-credentials.vault.
 - [ ] Add new user email as per `docs/email.md`.
 - [ ] Create a new user in archweb: https://www.archlinux.org/devel/newuser/
       This is also linked in the django admin backend at the top
-- [ ] Subscribe user to internal [staff mailing list](https://lists.archlinux.org/admin/staff/members/add)
-- [ ] Give the user access to `#archlinux-staff` on Libera Chat
-- [ ] Give the user a link to our [staff services page](https://wiki.archlinux.org/title/DeveloperWiki:Staff_Services)
+- [ ] Subscribe **communication e-mail address** to internal [staff mailing list](https://lists.archlinux.org/admin/staff/members/add).
+- [ ] Give the user access to `#archlinux-staff` on Libera Chat.
+- [ ] Give the user a link to our [staff services page](https://wiki.archlinux.org/title/DeveloperWiki:Staff_Services).
+- [ ] Replace the **Team member username** with the @-prefixed username on Gitlab.
+- [ ] Remove personal information (such as **Full Name** and **Personal e-mail
+  address**, as well as the clearsigned representation of this data), remove
+  the description history and make the issue non-confidential.
 
 ## Packager onboarding checklist
 
 <!-- The ticket should be created by a sponsor of the new packager -->
-- [ ] Create [issue in archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/new) (choose *"New Packager Key"* template)
+- [ ] Create [issue in archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/new) (choose *"New Packager Key"* template).
 
 ## Main key onboarding checklist
 
 - [ ] Add new user email for the `master-key.archlinux.org` subdomain as per `docs/email.md`.
 <!-- The ticket should be created by the developer becoming a new main key holder -->
-- [ ] Create [issue in archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/new) (choose *"New Main Key"* template)
+- [ ] Create [issue in archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/new) (choose *"New Main Key"* template).
 
 ## Developer onboarding checklist
 
@@ -38,9 +60,9 @@ The mailing list password can be found in misc/additional-credentials.vault.
 - [ ] Add SSH pubkey to `pubkeys/<username>.pub`.
 - [ ] Run `ansible-playbook -t archusers playbooks/*.yml`.
 - [ ] Assign the user to the `Developers` groups on Keycloak.
-- [ ] Assign the user to the `Developers` group on [archlinux.org](https://archlinux.org/admin/auth/user/)
-- [ ] Subscribe user to internal [arch-dev mailing list](https://lists.archlinux.org/admin/arch-dev/members/add)
-- [ ] Whitelist email address on [arch-dev-public](https://lists.archlinux.org/admin/arch-dev-public/members) (find member and unmoderate)
+- [ ] Assign the user to the `Developers` group on [archlinux.org](https://archlinux.org/admin/auth/user/).
+- [ ] Subscribe **communication e-mail address** to internal [arch-dev](https://lists.archlinux.org/admin/arch-dev/members/add) mailing list.
+- [ ] Allow sending from **communication e-mail address** on [arch-dev-public](https://lists.archlinux.org/admin/arch-dev-public/members) (subscribe and/or find address and remove moderation).
 
 ## TU onboarding checklist
 
@@ -48,9 +70,9 @@ The mailing list password can be found in misc/additional-credentials.vault.
 - [ ] Add SSH pubkey to `pubkeys/<username>.pub`.
 - [ ] Run `ansible-playbook -t archusers playbooks/*.yml`.
 - [ ] Assign the user to the `Trusted Users` groups on Keycloak.
-- [ ] Assign the user to the `Trusted Users` group on [archlinux.org](https://archlinux.org/admin/auth/user/)
-- [ ] Whitelist email address on [arch-dev-public](https://lists.archlinux.org/admin/arch-dev-public/members) (find member and unmoderate)
-- [ ] Subscribe user to internal [arch-tu mailing list](https://lists.archlinux.org/admin/arch-tu/members/add)
+- [ ] Assign the user to the `Trusted Users` group on [archlinux.org](https://archlinux.org/admin/auth/user/).
+- [ ] Subscribe **communication e-mail address** to internal [arch-tu](https://lists.archlinux.org/admin/arch-tu/members/add) mailing list.
+- [ ] Allow sending from **communication e-mail address** on [arch-dev-public](https://lists.archlinux.org/admin/arch-dev-public/members) (subscribe and/or find address and remove moderation).
 
 ## DevOps onboarding checklist
 
@@ -58,10 +80,10 @@ The mailing list password can be found in misc/additional-credentials.vault.
 - [ ] Run `ansible-playbook -t root_ssh playbooks/all-hosts-basic.yml`.
 - [ ] Run `ansible-playbook playbooks/hetzner_storagebox.yml playbooks/rsync.net.yml`.
 - [ ] Assign the user to the `DevOps` group on Keycloak.
-- [ ] Subscribe user to [arch-devops-private mailing lists](https://lists.archlinux.org/admin/arch-devops-private/members/add)
+- [ ] Subscribe **communication e-mail address** to internal [arch-devops-private](https://lists.archlinux.org/admin/arch-devops-private/members/add) mailing list.
 - [ ] Add pubkey to [Hetzner's key management](https://robot.your-server.de/key/index) for Dedicated server rescue system.
 
 ## Wiki Administrator checklist
 
 - [ ] Assign the user to the `Wiki Admins` group on Keycloak.
-- [ ] Subscribe the user to the [arch-wiki-admins mailing list](https://lists.archlinux.org/admin/arch-wiki-admins/members/add).
+- [ ] Subscribe **communication e-mail address** to the [arch-wiki-admins](https://lists.archlinux.org/admin/arch-wiki-admins/members/add) mailing list.

docs/email.md

@@ -41,9 +41,6 @@ When a new host is provisioned:
   happen automatically as the *postfwd* role is a dependency of the *postfix*
   role (using `delegate_to` to run it against 'mail.archlinux.org' regardless of the target
   host that the postfix role is being run on)
-- Any services on the new host that need to relay mail should relay using SMTP
-  to `localhost` on port 10027 which bypasses any filtering/restrictions that
-  are applied by postfix to port 25 traffic.
 
 # Create new DKIM keys
 

docs/fail2ban.md

@@ -39,3 +39,6 @@ Add `fail2ban_jails` dict with `dovecot: true` to the host's `host_vars`.
 The nginx_limit_req jail is not enabled on any server. This jail bans IPs based repeated errors on nginx error log. Default blocking is 1 hour(s). Adding to a host:
 
 Add `fail2ban_jails` dict with `nginx_limit_req: true` to the host's `host_vars`.
+
+The `rsslimit` zone is whitelisted from being banned with `ignoreregex`, as we
+choose to not ban RSS abusers.

group_vars/all/vault_loki.yml

 $ANSIBLE_VAULT;1.1;AES256
-32393361373264633531353264623563303635643964323839616366656632363933626233386538
-3037343264613038613164303261626232333761336534340a313033636232643864663033656563
-32313164646232663663343235316361336163373265313639313032623239646339383530343039
-3236613365643235650a333066633439633964303532396466613464623166383162373161656566
-66666336623138363266393034376532313465633032363433383731613133656437323563346334
-34623433613437333861376638396461373439376463383830343531626666333935393262323636
-39343566336266316630373463633562643761353932613163663836613761383565373230326361
-34333433343330353831303233613236343132303239396666626437633832363433656532376236
-3062
+37643130346638613539323431666164623435666264346231643964626232343534666338646335
+3834376365383264306438316137313163613262323630370a666637316461396132383864633539
+37653062643062663563353635376462396237616634626633633762366334373665306563643366
+3139316239303165380a653166623863366130346231313465336666383365646264396337303334
+30383231653734613230376139326137306137333037616636336663656532316637633531313538
+63643330643031663563643430666165323933633933363436306334643166313231616664666664
+653339626466616537613738636465346538

host_vars/archlinux.org/misc

@@ -10,6 +10,6 @@ fail2ban_jails:
   sshd: true
   postfix: false
   dovecot: false
-  nginx_limit_req: false
+  nginx_limit_req: true
 wireguard_address: 10.0.0.1
 wireguard_public_key: 0Vx7jfWinpTPHKPxvmKtZlp3hcLebawz+vQM8EIEm1k=

roles/archweb/files/robots.txt

+User-agent: *
+Disallow: /packages/search/
+Disallow: /packages/?
+Disallow: /packages/?*
+Sitemap: https://www.archlinux.org/sitemap.xml
+Crawl-delay: 2

roles/archweb/tasks/main.yml

@@ -73,6 +73,12 @@
 - name: fix home permissions
   file: state=directory owner=archweb group=archweb mode=0755 path="{{ archweb_dir }}"
 
+- name: make archlinux.org dir
+  file: path="{{ archweb_dir }}/archlinux.org" state=directory owner=archweb group=archweb mode=0755
+
+- name: configure robots.txt
+  copy: src=robots.txt dest="{{ archweb_dir }}/archlinux.org/robots.txt" owner=root group=root mode=0644
+
 - name: configure archweb
   template: src=local_settings.py.j2 dest={{ archweb_dir }}/local_settings.py owner=archweb group=archweb mode=0660
   register: config

roles/archweb/templates/nginx.d.conf.j2

 # limit rss requests to 1 r/m
 limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;
+
+# limit general requests to 20 r/s to block DoS attempts.
+limit_req_zone $binary_remote_addr zone=archweblimit:10m rate=20r/s;
+
 limit_req_status 429;
 
 uwsgi_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=archwebcache:10m inactive=60m;
@@ -193,5 +197,7 @@ server {
         uwsgi_cache_revalidate on;
         uwsgi_cache_key $cache_key;
         add_header X-Cache-Status $upstream_cache_status;
+
+        limit_req zone=archweblimit burst=10 nodelay;
     }
 }

roles/borg_client/templates/borg-backup.service.j2

 [Unit]
 Description=Borg backup
+
+{% if inventory_hostname == "gitlab.archlinux.org" %}
+# The ordering relation defined below is important for the GitLab backups
+# because the offsite backup reuses the tarballs from this service's run.
+{% endif %}
 Wants=borg-backup-offsite.service
 Before=borg-backup-offsite.service
 

roles/borg_client/templates/borg-backup.sh.j2

@@ -45,7 +45,8 @@ if systemctl is-active mysqld || systemctl is-active mariadb; then
     /usr/local/bin/backup-mysql.sh || true
 fi
 
-{% if inventory_hostname == "gitlab.archlinux.org" %}
+{# When backing up to offsite, reuse the existing tarballs from the previous backup #}
+{% if inventory_hostname == "gitlab.archlinux.org" and item['suffix'] != '-offsite' %}
 # Create tarball backups of various GitLab directories using the official backup tool
 systemctl is-active docker && /usr/local/bin/backup-gitlab.sh
 {% endif %}

roles/dbscripts/tasks/main.yml

@@ -217,7 +217,7 @@
   user: name=svntogit shell=/sbin/nologin home=/srv/svntogit generate_ssh_key=yes ssh_key_bits=4096
 
 - name: configure svntogit git user name
-  command: git config --global user.name = 'svntogit'
+  command: git config --global user.name svntogit
   become: true
   become_user: svntogit
   register: git_config_username
@@ -226,7 +226,7 @@
     - skip_ansible_lint
 
 - name: configure svntogit git user email
-  command: git config --global user.name = 'svntogit@repos.archlinux.org'
+  command: git config --global user.email svntogit@repos.archlinux.org
   become: true
   become_user: svntogit
   register: git_config_email
@@ -265,7 +265,9 @@
 
 # The following command also serves as a way to get the data the first time the repo is set up
 - name: configure svntogit pull upstream branch
-  command: git pull public master chdir=/srv/svntogit/repos/{{ item }}
+  command: git pull --set-upstream public master chdir=/srv/svntogit/repos/{{ item }}
+  environment:
+    - SHELL: /bin/bash
   with_items:
     - community
     - packages

roles/dbscripts/templates/authorized_keys-group.j2

@@ -5,7 +5,7 @@
             {% set keys = lookup('file', '../pubkeys/'+user+'.pub').split("\n") %}
             {% for key in keys | sort %}
                 {% if "command" not in key -%}
-                    command="/usr/bin/svnserve --tunnel-user={{user}} -t",no-port-forwarding,no-agent-forwarding,no-pty {{key}}
+                    command="/usr/bin/svnserve --tunnel-user={{user}} -t",restrict {{key}}
                 {% endif %}
             {% endfor %}
         {% endif %}

roles/fail2ban/templates/nginx-limit-req.jail.j2

@@ -10,4 +10,6 @@ action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
 logpath = /var/log/nginx/*/error.log
 findtime = 5min
 bantime = 1hours
-maxretry = 10
\ No newline at end of file
+maxretry = 10
+# Do not fail2ban archweb's rss limit.
+ignoreregex = rsslimit

roles/grafana/files/dashboards/backups.json

@@ -15,7 +15,6 @@
   "editable": true,
   "gnetId": null,
   "graphTooltip": 0,
-  "id": 47,
   "links": [],
   "panels": [
     {
@@ -176,11 +175,12 @@
         "showThresholdMarkers": true,
         "text": {}
       },
-      "pluginVersion": "8.0.3",
+      "pluginVersion": "8.0.5",
       "targets": [
         {
           "exemplar": true,
           "expr": "hetzner_storage_box_free_bytes{instance=\"monitoring.archlinux.org\"}",
+          "instant": true,
           "interval": "",
           "legendFormat": "",
           "queryType": "randomWalk",
@@ -378,5 +378,5 @@
   "timezone": "",
   "title": "Borg Backups",
   "uid": "Rnqpymznz",
-  "version": 30
-}
\ No newline at end of file
+  "version": 33
+}

roles/grafana/templates/grafana.ini.j2

@@ -214,7 +214,7 @@ secret_key = {{ vault_grafana_secret_key }}
 cookie_secure = true
 
 # set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict", "none" and "disabled"
-;cookie_samesite = lax
+cookie_samesite = strict
 
 # set to true if you want to allow browsers to render Grafana in a <frame>, <iframe>, <embed> or <object>. default is false.
 ;allow_embedding = false

roles/loki/defaults/main.yml

-loki_nginx_htpasswd: /etc/nginx/auth/loki

roles/loki/tasks/main.yml

@@ -6,23 +6,11 @@
   copy: src=loki.yaml dest=/etc/loki/ owner=root group=root mode=0644
   notify: restart loki
 
-- name: install python-passlib
-  pacman: name=python-passlib
-
-- name: create htpasswd for nginx loki endpoint
-  htpasswd:
-    path: "{{ loki_nginx_htpasswd }}"
-    name: "{{ vault_loki_nginx_user }}"
-    password: "{{ vault_loki_nginx_passwd }}"
-    owner: root
-    group: http
-    mode: 0640
-
 - name: make nginx log dir
   file: path=/var/log/nginx/loki state=directory owner=root group=root mode=0755
 
 - name: set up nginx
-  template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/logging.conf" owner=root group=root mode=644
+  template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/logging.conf" owner=root group=root mode=640
   notify: reload nginx
   tags: ['nginx']
 

roles/loki/templates/nginx.d.conf.j2

@@ -12,8 +12,9 @@ server {
     error_log    /var/log/nginx/loki/error.log;
 
     location = /loki/api/v1/push {
-        auth_basic "Loki :)";
-        auth_basic_user_file {{ loki_nginx_htpasswd }};
+        if ($http_authorization != "Bearer {{ vault_loki_token }}") {
+            return 403;
+        }
 
         proxy_pass http://127.0.0.1:3100$request_uri;
     }

roles/mailman/files/aliases

+root		root@archlinux.org
+MAILER-DAEMON	postmaster@archlinux.org
+postmaster	postmaster@archlinux.org
+abuse		abuse@archlinux.org

roles/mailman/tasks/main.yml

@@ -19,7 +19,9 @@
 - name: install postfix maps
   copy: src={{ item }} dest=/etc/postfix/ owner=root group=root mode=0644
   loop:
+    - aliases
     - milter_header_checks
+  notify: reload postfix
 
 - name: open firewall holes for postfix
   ansible.posix.firewalld: service=smtp permanent=true state=enabled immediate=yes