misc/find-arch-on-crt.sh

@@ -8,6 +8,7 @@ set -eo pipefail
 readonly DOMAINS=(
   archlinux.org
   pkgbuild.com
+  archlinux.page
 )
 readonly LOOKUP_URLS=(
   "${DOMAINS[@]/#/https://crt.sh/?exclude=expired&deduplicate=Y&output=json&q=}"

roles/archwiki/templates/LocalSettings.php.j2

@@ -424,13 +424,13 @@ $wgCaptchaQuestions = [
 ];
 
 # Restrict expensive actions to logged in users
-wfLoadExtension( 'Lockdown' );
-$wgSpecialPageLockdown['Recentchanges'] = [ 'user' ];
-$wgSpecialPageLockdown['Newpages'] = [ 'user' ];
-$wgSpecialPageLockdown['Recentchangeslinked'] = [ 'user' ];
-$wgSpecialPageLockdown['Log'] = [ 'user' ];
-$wgSpecialPageLockdown['Diff'] = [ 'user' ];
-$wgActionLockdown['history'] = ['user'];
+#wfLoadExtension( 'Lockdown' );
+#$wgSpecialPageLockdown['Recentchanges'] = [ 'user' ];
+#$wgSpecialPageLockdown['Newpages'] = [ 'user' ];
+#$wgSpecialPageLockdown['Recentchangeslinked'] = [ 'user' ];
+#$wgSpecialPageLockdown['Log'] = [ 'user' ];
+#$wgSpecialPageLockdown['Diff'] = [ 'user' ];
+#$wgActionLockdown['history'] = ['user'];
 
 # Renameuser extension
 wfLoadExtension( 'Renameuser' );

roles/grafana/templates/grafana.ini.j2

@@ -309,7 +309,7 @@ strict_transport_security_max_age_seconds = 86400
 # $ROOT_PATH is server.root_url without the protocol.
 ;content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"""
 
-# Controls if old angular plugins are supported or not. This will be disabled by default in Grafana v9.
+# Controls if old angular plugins are supported or not. This will be disabled by default in future release
 ;angular_support_enabled = true
 
 [security.encryption]
@@ -604,7 +604,7 @@ role_attribute_strict = true
 
 # LDAP background sync (Enterprise only)
 # At 1 am every day
-;sync_cron = "0 0 1 * * *"
+;sync_cron = "0 1 * * *"
 ;active_sync_enabled = true
 
 #################################### AWS ###########################
@@ -633,6 +633,11 @@ role_attribute_strict = true
 # Should be set for user-assigned identity and should be empty for system-assigned identity
 ;managed_identity_client_id =
 
+#################################### Role-based Access Control ###########
+[rbac]
+;enabled = true
+# If enabled, cache permissions in a in memory cache (Enterprise only)
+;permission_cache = true
 #################################### SMTP / Emailing ##########################
 [smtp]
 ;enabled = false
@@ -908,7 +913,7 @@ enabled = false
 #################################### Query History #############################
 [query_history]
 # Enable the Query history
-;enabled = false
+;enabled = true
 
 #################################### Internal Grafana Metrics ##########################
 # Metrics available at HTTP URL /metrics and /metrics/plugins/:pluginId
@@ -942,6 +947,7 @@ enabled = false
 ;url = https://grafana.com
 
 #################################### Distributed tracing ############
+# Opentracing is deprecated use opentelemetry instead
 [tracing.jaeger]
 # Enable by setting the address sending traces to jaeger (ex localhost:6831)
 ;address = localhost:6831
@@ -968,6 +974,15 @@ enabled = false
 [tracing.opentelemetry.jaeger]
 # jaeger destination (ex http://localhost:14268/api/traces)
 ; address = http://localhost:14268/api/traces
+# Propagation specifies the text map propagation format: w3c, jaeger
+; propagation = jaeger
+
+# This is a configuration for OTLP exporter with GRPC protocol
+[tracing.opentelemetry.otlp]
+# otlp destination (ex localhost:4317)
+; address = localhost:4317
+# Propagation specifies the text map propagation format: w3c, jaeger
+; propagation = w3c
 
 #################################### External image storage ##########################
 [external_image_storage]

roles/prometheus/defaults/main.yml

@@ -24,6 +24,7 @@ blackbox_targets:
     - https://america.mirror.pkgbuild.com
     - https://archive.archlinux.org
     - https://archlinux.org
+    - https://archlinux.page
     - https://asia.archive.pkgbuild.com
     - https://asia.mirror.pkgbuild.com
     - https://aur.archlinux.org
@@ -45,6 +46,7 @@ blackbox_targets:
     - https://md.archlinux.org
     - https://mirror.pkgbuild.com
     - https://monitoring.archlinux.org/healthz
+    - https://monthly-reports.archlinux.page
     - https://mta-sts.archlinux.org/.well-known/mta-sts.txt
     - https://mta-sts.aur.archlinux.org/.well-known/mta-sts.txt
     - https://mta-sts.lists.archlinux.org/.well-known/mta-sts.txt
@@ -56,6 +58,7 @@ blackbox_targets:
     - https://ping.archlinux.org
     - https://pkgbuild.com
     - https://planet.archlinux.org
+    - https://repod.archlinux.page
     - https://repos.archlinux.org/lastupdate
     - https://reproducible.archlinux.org
     - https://security.archlinux.org

tf-stage1/archlinux.tf

@@ -171,6 +171,11 @@ locals {
     "terms"                 = "0b62a71af2aa85fb491295b543b4c3d2"
   }
 
+  archlinux_page_gitlab_pages = {
+    "repod"           = "f2d1ad84f7e9f22cd881d3bef58263e0"
+    "monthly-reports" = "a2d60657e960b480cdb229df7cc7edf3"
+  }
+
   # This creates archlinux.org TXT DNS entries
   # Valid parameters are:
   #   - ttl (optional)
@@ -365,6 +370,22 @@ locals {
     }
   }
 
+  # This creates archlinux.page A/AAAA DNS entries.
+  #
+  # The entry name corresponds to the subdomain.
+  # '@' is the root doman (archlinux.page).
+  # Valid parameters are:
+  #   - ipv4_address (mandatory)
+  #   - ipv6_address (mandatory)
+  #   - ttl (optional)
+  #
+  archlinux_page_a_aaaa = {
+    "@" = {
+      ipv4_address = hcloud_floating_ip.gitlab_pages.ip_address
+      ipv6_address = var.gitlab_pages_ipv6
+    }
+  }
+
   # Domains served by machines in the geo_mirrors group
   # Valid parameters are:
   #   - zone_id (mandatory, either of hetznerdns_zone.{archlinux,pkgbuild}.id)
@@ -387,11 +408,78 @@ resource "hetznerdns_zone" "archlinux" {
   ttl  = 3600
 }
 
+resource "hetznerdns_zone" "archlinux_page" {
+  name = "archlinux.page"
+  ttl  = 3600
+}
+
 resource "hetznerdns_zone" "pkgbuild" {
   name = "pkgbuild.com"
   ttl  = 3600
 }
 
+resource "hetznerdns_record" "archlinux_page_origin_caa" {
+  zone_id = hetznerdns_zone.archlinux_page.id
+  name    = "@"
+  value   = "0 issue \"letsencrypt.org\""
+  type    = "CAA"
+}
+
+resource "hetznerdns_record" "archlinux_page_origin_mx" {
+  zone_id = hetznerdns_zone.archlinux_page.id
+  name    = "@"
+  value   = "0 ."
+  type    = "MX"
+}
+
+resource "hetznerdns_record" "archlinux_page_origin_ns3" {
+  zone_id = hetznerdns_zone.archlinux_page.id
+  name    = "@"
+  value   = "helium.ns.hetzner.de."
+  type    = "NS"
+  ttl     = 86400
+}
+
+resource "hetznerdns_record" "archlinux_page_origin_ns2" {
+  zone_id = hetznerdns_zone.archlinux_page.id
+  name    = "@"
+  value   = "oxygen.ns.hetzner.com."
+  type    = "NS"
+  ttl     = 86400
+}
+
+resource "hetznerdns_record" "archlinux_page_origin_ns1" {
+  zone_id = hetznerdns_zone.archlinux_page.id
+  name    = "@"
+  value   = "hydrogen.ns.hetzner.com."
+  type    = "NS"
+  ttl     = 86400
+}
+
+# TODO: Commented currently as we have no idea how to handle SOA stuff with Terraform:
+# https://github.com/timohirt/terraform-provider-hetznerdns/issues/20
+# https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/62#note_4040
+# resource "hetznerdns_record" "archlinux_page_origin_soa" {
+#   zone_id = hetznerdns_zone.archlinux_page.id
+#   name = "@"
+#   value = "hydrogen.ns.hetzner.com. hetzner.archlinux.org. 2021070703 3600 1800 604800 3600"
+#   type = "SOA"
+# }
+
+resource "hetznerdns_record" "archlinux_page_origin_txt" {
+  zone_id = hetznerdns_zone.archlinux_page.id
+  name    = "@"
+  value   = "\"v=spf1 -all\""
+  type    = "TXT"
+}
+
+resource "hetznerdns_record" "pages_verification_code_archlinux_page_origin_txt" {
+  zone_id = hetznerdns_zone.archlinux_page.id
+  name    = "_gitlab-pages-verification-code"
+  value   = "_gitlab-pages-verification-code=d66f6b2195948e509da553a5e4f3ebcd"
+  type    = "TXT"
+}
+
 resource "hetznerdns_record" "pkgbuild_com_origin_caa" {
   zone_id = hetznerdns_zone.pkgbuild.id
   name    = "@"

tf-stage1/templates.tf

@@ -18,6 +18,44 @@ resource "hetznerdns_record" "archlinux_org_gitlab_pages_verification_code_txt"
   type    = "TXT"
 }
 
+resource "hetznerdns_record" "archlinux_page_gitlab_pages_cname" {
+  for_each = local.archlinux_page_gitlab_pages
+
+  zone_id = hetznerdns_zone.archlinux_page.id
+  name    = each.key
+  value   = "pages.archlinux.org."
+  type    = "CNAME"
+}
+
+resource "hetznerdns_record" "archlinux_page_gitlab_pages_verification_code_txt" {
+  for_each = local.archlinux_page_gitlab_pages
+
+  zone_id = hetznerdns_zone.archlinux_page.id
+  name    = "_gitlab-pages-verification-code.${each.key}"
+  value   = "gitlab-pages-verification-code=${each.value}"
+  type    = "TXT"
+}
+
+resource "hetznerdns_record" "archlinux_page_a" {
+  for_each = local.archlinux_page_a_aaaa
+
+  zone_id = hetznerdns_zone.archlinux_page.id
+  name    = each.key
+  ttl     = lookup(local.archlinux_page_a_aaaa[each.key], "ttl", null)
+  value   = each.value.ipv4_address
+  type    = "A"
+}
+
+resource "hetznerdns_record" "archlinux_page_aaaa" {
+  for_each = local.archlinux_page_a_aaaa
+
+  zone_id = hetznerdns_zone.archlinux_page.id
+  name    = each.key
+  ttl     = lookup(local.archlinux_page_a_aaaa[each.key], "ttl", null)
+  value   = each.value.ipv6_address
+  type    = "AAAA"
+}
+
 resource "hetznerdns_record" "pkgbuild_org_a" {
   for_each = local.pkgbuild_com_a_aaaa