host_vars/secure-runner2.archlinux.org

----
-filesystem: "btrfs"

playbooks/man.archlinux.org.yml

@@ -17,4 +17,4 @@
     - { role: promtail }
     - { role: postgres }
     - { role: uwsgi }
-    - { role: archmanweb, archmanweb_version: 'v1.1' }
+    - { role: archmanweb, archmanweb_version: 'v1.2' }

roles/archmanweb/tasks/main.yml

@@ -15,6 +15,7 @@
       - pyalpm
       - python-chardet
       - python-django
+      - python-django-csp
       - python-psycopg2
       - python-requests
       - python-xtarfile

roles/keycloak/files/theme/archlinux/account/index.ftl

@@ -57,7 +57,7 @@
             <#if referrer??>
                 var referrer = '${referrer}';
                 var referrerName = '${referrerName}';
-                var referrerUri = '${referrer_uri?no_esc}';
+                var referrerUri = '${referrer_uri}'.replace('&amp;', '&');
             </#if>
 
             <#if msg??>
@@ -146,7 +146,7 @@
 <div id="spinner_screen" style="display:block; height:100%">
     <div style="width: 320px; height: 328px; text-align: center; position: absolute; top:0;	bottom: 0; left: 0;	right: 0; margin: auto;">
                 <#if properties.logo?has_content>
-                <img src="${resourceUrl}${properties.logoDark}" alt="Logo" class="brand">
+                <img src="${resourceUrl}${properties.logo}" alt="Logo" class="brand">
                 <#else>
                 <img src="${resourceUrl}/public/archlinux-logo-dark.svg" alt="Logo" class="brand">
                 </#if>

roles/keycloak/files/theme/archlinux/login/login-config-totp.ftl

 <#import "template.ftl" as layout>
-<@layout.registrationLayout displayInfo=true displayRequiredFields=true; section>
+<@layout.registrationLayout displayRequiredFields=false displayMessage=!messagesPerField.existsError('totp','userLabel'); section>
 
     <#if section = "header">
         ${msg("loginTotpTitle")}
-
     <#elseif section = "form">
-
-    <div class="alert alert-warning">
-    <span class="${properties.kcFeedbackWarningIcon}"></span>
-    ${kcSanitize(msg("totp-registration-warning"))?no_esc}
-    </div>
-
-    <ol id="kc-totp-settings">
-        <li>
-            <p>${msg("loginTotpStep1")}</p>
-
-            <ul id="kc-totp-supported-apps">
-                <div style="margin-bottom: 10px; float: left; width: 40%">
-                    <h4>Android</h4>
-                    <ul style="margin-top: -5px;">
-                        <li><a target="_blank" rel="noopener noreferrer" href="https://getaegis.app/">Aegis</a></li>
-                        <li><a target="_blank" rel="noopener noreferrer" href="https://github.com/andOTP/andOTP">andOTP</a></li>
-                        <li><a target="_blank" rel="noopener noreferrer" href="https://github.com/helloworld1/FreeOTPPlus">FreeOTP+</a></li>
-                    </ul>
-                </div>
-                <div style="margin-bottom: 10px; float: left; width: 60%">
-                    <h4>iOS</h4>
-                    <ul style="margin-top: -5px;">
-                        <li><a target="_blank" rel="noopener noreferrer" href="https://authy.com/">Authy</a></li>
-                        <li><a target="_blank" rel="noopener noreferrer" href="https://lastpass.com/auth/">LastPass Authenticator</a></li>
-                        <li><a target="_blank" rel="noopener noreferrer" href="https://cooperrs.de/otpauth.html ">OTP Auth</a></li>
-                    </ul>
-                </div>
-            </ul>
-        </li>
-
-        <#if mode?? && mode = "manual">
+        <div class="alert alert-warning">
+            <span class="${properties.kcFeedbackWarningIcon}"></span>
+            ${kcSanitize(msg("totp-registration-warning"))?no_esc}
+        </div>
+        <ol id="kc-totp-settings">
             <li>
-                <p>${msg("loginTotpManualStep2")}</p>
-                <p><span id="kc-totp-secret-key">${totp.totpSecretEncoded}</span></p>
-                <p><a href="${totp.qrUrl}" id="mode-barcode">${msg("loginTotpScanBarcode")}</a></p>
+                <p>${msg("loginTotpStep1")}</p>
+
+                <ul id="kc-totp-supported-apps">
+                    <div style="margin-bottom: 10px; float: left; width: 40%">
+                        <h4>Android</h4>
+                        <ul style="margin-top: -5px;">
+                            <li><a target="_blank" rel="noopener noreferrer" href="https://getaegis.app/">Aegis</a></li>
+                            <li><a target="_blank" rel="noopener noreferrer" href="https://github.com/andOTP/andOTP">andOTP</a></li>
+                            <li><a target="_blank" rel="noopener noreferrer" href="https://github.com/helloworld1/FreeOTPPlus">FreeOTP+</a></li>
+                        </ul>
+                    </div>
+                    <div style="margin-bottom: 10px; float: left; width: 60%">
+                        <h4>iOS</h4>
+                        <ul style="margin-top: -5px;">
+                            <li><a target="_blank" rel="noopener noreferrer" href="https://authy.com/">Authy</a></li>
+                            <li><a target="_blank" rel="noopener noreferrer" href="https://lastpass.com/auth/">LastPass Authenticator</a></li>
+                            <li><a target="_blank" rel="noopener noreferrer" href="https://cooperrs.de/otpauth.html ">OTP Auth</a></li>
+                        </ul>
+                    </div>
+                </ul>
             </li>
-            <li>
-                <p>${msg("loginTotpManualStep3")}</p>
-                <p>
+
+            <#if mode?? && mode = "manual">
+                <li>
+                    <p>${msg("loginTotpManualStep2")}</p>
+                    <p><span id="kc-totp-secret-key">${totp.totpSecretEncoded}</span></p>
+                    <p><a href="${totp.qrUrl}" id="mode-barcode">${msg("loginTotpScanBarcode")}</a></p>
+                </li>
+                <li>
+                    <p>${msg("loginTotpManualStep3")}</p>
+                    <p>
                     <ul>
                         <li id="kc-totp-type">${msg("loginTotpType")}: ${msg("loginTotp." + totp.policy.type)}</li>
                         <li id="kc-totp-algorithm">${msg("loginTotpAlgorithm")}: ${totp.policy.getAlgorithmKey()}</li>
@@ -54,58 +51,75 @@
                             <li id="kc-totp-counter">${msg("loginTotpCounter")}: ${totp.policy.initialCounter}</li>
                         </#if>
                     </ul>
-                </p>
-            </li>
-        <#else>
+                    </p>
+                </li>
+            <#else>
+                <li>
+                    <p>${msg("loginTotpStep2")}</p>
+                    <img id="kc-totp-secret-qr-code" src="data:image/png;base64, ${totp.totpSecretQrCode}" alt="Figure: Barcode"><br/>
+                    <p><a href="${totp.manualUrl}" id="mode-manual">${msg("loginTotpUnableToScan")}</a></p>
+                </li>
+            </#if>
             <li>
-                <p>${msg("loginTotpStep2")}</p>
-                <img id="kc-totp-secret-qr-code" src="data:image/png;base64, ${totp.totpSecretQrCode}" alt="Figure: Barcode"><br/>
-                <p><a href="${totp.manualUrl}" id="mode-manual">${msg("loginTotpUnableToScan")}</a></p>
+                <p>${msg("loginTotpStep3")}</p>
+                <p>${msg("loginTotpStep3DeviceName")}</p>
             </li>
-        </#if>
-        <li>
-            <p>${msg("loginTotpStep3")}</p>
-            <p>${msg("loginTotpStep3DeviceName")}</p>
-        </li>
-    </ol>
+        </ol>
 
-    <form action="${url.loginAction}" class="${properties.kcFormClass!}" id="kc-totp-settings-form" method="post">
-        <div class="${properties.kcFormGroupClass!}">
-            <div class="${properties.kcInputWrapperClass!}">
-                <label for="totp" class="control-label">${msg("authenticatorCode")}</label> <span class="required">*</span>
-            </div>
-            <div class="${properties.kcInputWrapperClass!}">
-                <input type="text" id="totp" name="totp" autocomplete="off" class="${properties.kcInputClass!}" />
-            </div>
-            <input type="hidden" id="totpSecret" name="totpSecret" value="${totp.totpSecret}" />
-            <#if mode??><input type="hidden" id="mode" name="mode" value="${mode}"/></#if>
-        </div>
+        <form action="${url.loginAction}" class="${properties.kcFormClass!}" id="kc-totp-settings-form" method="post">
+            <div class="${properties.kcFormGroupClass!}">
+                <div class="${properties.kcInputWrapperClass!}">
+                    <label for="totp" class="control-label">${msg("authenticatorCode")}</label> <span class="required">*</span>
+                </div>
+                <div class="${properties.kcInputWrapperClass!}">
+                    <input type="text" id="totp" name="totp" autocomplete="off" class="${properties.kcInputClass!}"
+                           aria-invalid="<#if messagesPerField.existsError('totp')>true</#if>"
+                    />
+
+                    <#if messagesPerField.existsError('totp')>
+                        <span id="input-error-otp-code" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
+                            ${kcSanitize(messagesPerField.get('totp'))?no_esc}
+                        </span>
+                    </#if>
 
-        <div class="${properties.kcFormGroupClass!}" ${messagesPerField.printIfExists('userLabel',properties.kcFormGroupErrorClass!)}">
-            <div class="${properties.kcInputWrapperClass!}">
-                <label for="userLabel" class="control-label">${msg("loginTotpDeviceName")}</label> <#if totp.otpCredentials?size gte 1><span class="required">*</span></#if>
+                </div>
+                <input type="hidden" id="totpSecret" name="totpSecret" value="${totp.totpSecret}" />
+                <#if mode??><input type="hidden" id="mode" name="mode" value="${mode}"/></#if>
             </div>
 
-            <div class="${properties.kcInputWrapperClass!}">
-                <input type="text" class="form-control" id="userLabel" name="userLabel" autocomplete="off">
+            <div class="${properties.kcFormGroupClass!}">
+                <div class="${properties.kcInputWrapperClass!}">
+                    <label for="userLabel" class="control-label">${msg("loginTotpDeviceName")}</label> <#if totp.otpCredentials?size gte 1><span class="required">*</span></#if>
+                </div>
+
+                <div class="${properties.kcInputWrapperClass!}">
+                    <input type="text" class="${properties.kcInputClass!}" id="userLabel" name="userLabel" autocomplete="off"
+                           aria-invalid="<#if messagesPerField.existsError('userLabel')>true</#if>"
+                    />
+
+                    <#if messagesPerField.existsError('userLabel')>
+                        <span id="input-error-otp-label" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
+                            ${kcSanitize(messagesPerField.get('userLabel'))?no_esc}
+                        </span>
+                    </#if>
+                </div>
             </div>
-        </div>
 
-        <#if isAppInitiatedAction??>
-            <input type="submit"
-                   class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonLargeClass!}"
-                   id="saveTOTPBtn" value="${msg("doSubmit")}"
-            />
-            <button type="submit"
-                    class="${properties.kcButtonClass!} ${properties.kcButtonDefaultClass!} ${properties.kcButtonLargeClass!} ${properties.kcButtonLargeClass!}"
-                    id="cancelTOTPBtn" name="cancel-aia" value="true" />${msg("doCancel")}
-            </button>
-        <#else>
-            <input type="submit"
-                   class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcButtonLargeClass!}"
-                   id="saveTOTPBtn" value="${msg("doSubmit")}"
-            />
-        </#if>
-    </form>
+            <#if isAppInitiatedAction??>
+                <input type="submit"
+                       class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonLargeClass!}"
+                       id="saveTOTPBtn" value="${msg("doSubmit")}"
+                />
+                <button type="submit"
+                        class="${properties.kcButtonClass!} ${properties.kcButtonDefaultClass!} ${properties.kcButtonLargeClass!} ${properties.kcButtonLargeClass!}"
+                        id="cancelTOTPBtn" name="cancel-aia" value="true" />${msg("doCancel")}
+                </button>
+            <#else>
+                <input type="submit"
+                       class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcButtonLargeClass!}"
+                       id="saveTOTPBtn" value="${msg("doSubmit")}"
+                />
+            </#if>
+        </form>
     </#if>
 </@layout.registrationLayout>
\ No newline at end of file

roles/keycloak/files/theme/archlinux/login/webauthn-register.ftl

@@ -26,6 +26,14 @@
         <script type="text/javascript">
 
             function registerSecurityKey() {
+
+                // Check if WebAuthn is supported by this browser
+                if (!window.PublicKeyCredential) {
+                    $("#error").val("${msg("webauthn-unsupported-browser-text")?no_esc}");
+                    $("#register").submit();
+                    return;
+                }
+
                 // mandatory parameters
                 let challenge = "${challenge}";
                 let userid = "${userid}";
@@ -167,4 +175,4 @@
         </#if>
 
     </#if>
-    </@layout.registrationLayout>
+    </@layout.registrationLayout>
\ No newline at end of file

roles/keycloak/files/theme/archlinux/welcome/index.ftl

@@ -29,7 +29,7 @@
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
     <meta name="robots" content="noindex, nofollow">
 
-    <link rel="shortcut icon" href="${resourcesCommonPath}/img/favicon.ico" />
+    <link rel="shortcut icon" href="${resourcesPath}/img/favicon.ico" />
 
     <#if properties.stylesCommon?has_content>
         <#list properties.stylesCommon?split(' ') as style>
@@ -127,7 +127,7 @@
         </div>
       </div>
       <div class='footer'>
-        <#if properties.displayFooter = "true">
+        <#if properties.displayCommunityLinks = "true">
         <a href="http://www.jboss.org"><img src="welcome-content/jboss_community.png" alt="JBoss and JBoss Community"></a>
         </#if>
       </div>

roles/matrix/tasks/main.yml

@@ -78,7 +78,7 @@
 - name: install synapse
   pip:
     name:
-      - 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]==1.35.1'
+      - 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]==1.36.0'
     state: latest
     extra_args: '--upgrade-strategy=eager'
     virtualenv: /var/lib/synapse/venv
@@ -92,7 +92,7 @@
 - name: install pantalaimon
   pip:
     name:
-      - 'pantalaimon==0.9.3'
+      - 'pantalaimon==0.10.0'
     state: latest
     extra_args: '--upgrade-strategy=eager'
     virtualenv: /var/lib/synapse/venv-pantalaimon
@@ -148,7 +148,7 @@
   git:
     repo: https://github.com/matrix-org/matrix-appservice-irc
     dest: /var/lib/synapse/matrix-appservice-irc
-    version: 0.26.1
+    version: 0.27.0-rc3
   become: true
   become_user: synapse
   become_method: sudo

roles/matrix/templates/homeserver.yaml.j2

@@ -2965,18 +2965,3 @@ redis:
   # Optional password if configured on the Redis instance
   #
   #password: <secret_password>
-
-
-# Enable experimental features in Synapse.
-#
-# Experimental features might break or be removed without a deprecation
-# period.
-#
-experimental_features:
-  # Support for Spaces (MSC1772), it enables the following:
-  #
-  # * The Spaces Summary API (MSC2946).
-  # * Restricting room membership based on space membership (MSC3083).
-  #
-  # Uncomment to disable support for Spaces.
-  spaces_enabled: true

roles/matrix/templates/irc-bridge.yaml.j2

@@ -56,8 +56,13 @@ ircService:
       # It is also used in the Third Party Lookup API as the instance `desc`
       # property, where each server is an instance.
       name: "{{ matrix_server_name }}—{{ network.name }}"
-
+      # Additional addresses to connect to, used for load balancing between IRCDs.
       additionalAddresses: []
+      # Typically additionalAddresses would be in addition to the address key given above,
+      # but some configurations wish to exclusively use additional addresses while reserving
+      # the top key for identification purposes. Set this to true to exclusively use the
+      # additionalAddresses array when connecting to servers.
+      onlyAdditionalAddresses: false
       #
       # [DEPRECATED] Use `name`, above, instead.
       # A human-readable description string
@@ -78,15 +83,21 @@ ircService:
       sslselfsign: false
       # Should the connection attempt to identify via SASL (if a server or user password is given)
       # If false, this will use PASS instead. If SASL fails, we do not fallback to PASS.
-      sasl: false
+      sasl: true
       # Whether to allow expired certs when connecting to the IRC server.
       # Usually this should be off. Default: false.
       allowExpiredCerts: false
-      # A specific CA to trust instead of the default CAs. Optional.
-      #ca: |
-      #  -----BEGIN CERTIFICATE-----
-      #  ...
-      #  -----END CERTIFICATE-----
+      # Set additional TLS options for the connections to the IRC server.
+      tlsOptions: {}
+        # A specific CA to trust instead of the default CAs. Optional.
+        #ca: |
+        #  -----BEGIN CERTIFICATE-----
+        #  ...
+        #  -----END CERTIFICATE-----
+        # Server name for the SNI (Server Name Indication) TLS extension. If the address you
+        # are using does not report the correct certificate name, you can override it here.
+        # servername: real.server.name
+        # ...or any options in https://nodejs.org/api/tls.html#tls_tls_connect_options_callback
 
       #
       # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional.
@@ -182,6 +193,10 @@ ircService:
         # Should the AS publish the new Matrix room to the public room list so
         # anyone can see it? Default: true.
         published: true
+        # Publish the rooms to the homeserver directory, as oppose to the appservice
+        # room directory. Only used if `published` is on.
+        # Default: false
+        useHomeserverDirectory: false
         # What should the join_rule be for the new Matrix room? If 'public',
         # anyone can join the room. If 'invite', only users with an invite can
         # join the room. Note that if an IRC channel has +k or +i set on it,
@@ -206,6 +221,12 @@ ircService:
         # $SERVER => The IRC server address (e.g. "irc.example.com")
         # $CHANNEL => The IRC channel (e.g. "#python")
         # This MUST have $CHANNEL somewhere in it.
+        #
+        # In certain circumstances you might want to bridge your whole IRC network as a
+        # homeserver (e.g. #matrix:libera.chat). For these use cases, you can set the
+        # template to just be $CHANNEL. Doing so will preclude you from supporting
+        # other prefix characters though.
+        #
         # Default: '#irc_$SERVER_$CHANNEL'
         aliasTemplate: "#{{ network.name }}_$CHANNEL"
         # A list of user IDs which the AS bot will send invites to in response
@@ -244,6 +265,13 @@ ircService:
             # Make virtual matrix clients join and leave rooms as their real IRC
             # counterparts join/part channels. Default: false.
             incremental: true
+            # Should the bridge check if all Matrix users are connected to IRC and
+            # joined to the channel before relaying messages into the room.
+            #
+            # This is considered a safety net to avoid any leakages by the bridge to
+            # unconnected users, but given it ignores all IRC messages while users
+            # are still connecting it may be overkill.
+            requireMatrixJoined: false
 
           matrixToIrc:
             # Get a snapshot of all real Matrix users in the room and join all of
@@ -547,6 +575,13 @@ ircService:
     enabled: false
     # The maximum number that can be set for the `lineLimit` configuration option
     # lineLimitMax: 5
+    # Allow matrix admins to disable or require Matrix users to be connected to the
+    # channel before any messages can be bridged. i.e. this is the per room
+    # version of `membershipLists.[].ircToMatrix.requireMatrixJoined`.
+    #
+    # If this is true, configuration in the room state will take priority over
+    # the configuration in the config file.
+    # allowUnconnectedMatrixUsers: true
 
 # Options here are generally only applicable to large-scale bridges and may have
 # consequences greater than other options in this configuration file.

roles/matrix/templates/pantalaimon.conf.j2

@@ -6,5 +6,6 @@ Notifications = Off
 Homeserver = https://{{ matrix_domain }}
 ListenAddress = 127.0.0.1
 ListenPort = 8009
-UseKeyring = No
 IgnoreVerification = True
+UseKeyring = No
+DropOldKeys = True

roles/prometheus/defaults/main.yml

@@ -60,6 +60,7 @@ blackbox_targets:
     - mail.archlinux.org:993
     - mail.archlinux.org:995
     - dashboards.archlinux.org:9090
+    - coc.archlinux.org:443
   smtp_starttls:
     - mail.archlinux.org:25
     - mail.archlinux.org:587

roles/redirects/defaults/main.yml

@@ -11,3 +11,7 @@ redirects:
     domain: static.conf.archlinux.org
     to: https://gitlab.archlinux.org/archlinux/conf-files/-/raw/master$request_uri
     type: 302
+  - coc:
+    domain: coc.archlinux.org
+    to: https://gitlab.archlinux.org/archlinux/service-agreements/-/blob/master/code-of-conduct.md
+    type: 302

tf-stage1/archlinux.tf

@@ -297,6 +297,7 @@ locals {
     logging       = { value = "monitoring" }
     status        = { value = "stats.uptimerobot.com." }
     svn           = { value = "gemini" }
+    coc           = { value = "redirect" }
 
     # MTA-STS
     mta-sts               = { value = "mail" }