.ansible-lint

@@ -14,3 +14,5 @@ skip_list:
   - 'meta-no-info'
   # Allow package versions to be specified as 'latest'
   - 'package-latest'
+  # Don't require FQCN for builtin actions
+  - 'fqcn-builtins'

.gitlab-ci.yml

 image: "archlinux:latest"
 
-before_script:
-  - pacman -Syu --needed --noconfirm ansible-lint ansible yamllint terraform
-
 ansible-lint:
+  before_script:
+    - pacman -Syu --needed --noconfirm ansible-lint ansible
   script:
     # Fix weird ansible bug: https://github.com/trailofbits/algo/issues/1637
     # This probably happens due to gitlab-runner mounting the git repo into the container
@@ -15,6 +14,8 @@ ansible-lint:
     - ansible-lint $(printf -- "--exclude %s " */*/vault_*)
 
 terraform-validate:
+  before_script:
+    - pacman -Syu --needed --noconfirm terraform diffutils
   script:
     - cd tf-stage1
     - terraform init -backend=false

group_vars/all/archusers.yml

@@ -29,6 +29,7 @@ arch_users:
     ssh_key: alad.pub
     hosts:
       - mail.archlinux.org
+      - homedir.archlinux.org
     groups:
       - support-staff
   alerque:
@@ -41,6 +42,7 @@ arch_users:
     ssh_key: alex19ep.pub
     groups:
       - tu
+      - multilib
   allan:
     name: "Allan McRae"
     ssh_key: allan.pub

group_vars/all/vault_security_tracker.yml

 $ANSIBLE_VAULT;1.1;AES256
-62386537326331346332353038653137616430366531626637653762636135353232653835333831
-6431393138396537373937663963646365313464326565380a386266316266316463663163343434
-62333165643134663564366136633238613238373636353033303136653662343465326665616239
-3161326364306430350a343138653566363464333366353131383430336431363964613831303561
-34636163313064643830336665386635396231646533356163623938323165626236336633393863
-63313338316639333033393239336131306231346237353934393838323861646264656361346533
-32363864663436613333373130383462656134386632636337376539323562366137313762623433
-34663561626265626165383736656566353135336630656638373139353238636262313035366265
-61653965636331626162323539353635626337313830616634323236656463316331
+62336563323762646634643633386665333866653263363636326665396132653433336635366439
+6138343537306135663332306465643337333733613530390a353331666236633437666237383536
+39373036373963633234663234386164373663366530323963363732393061333562363636303431
+6530353331613734330a343065366162346263396262316133323362656234343036623861626164
+32316337666433386162656534376533383064666365303261393534306134643831666265656637
+33353239623830323039343237303164316636636431346361336437333037356635363461366434
+36326365313663363939393565663535396130383961303763303461303961636639623136623039
+31646630613161633835613636613339303038633961383930623165646366396361343933396464
+38623937623633326463303734623738663535393332356361646136313331656135383639623866
+37386332653964323636333063323439653436386436383263316465313262633532393839636633
+65346336346264343730323330633333336366633065336230316234386661373235356330346339
+61353835646665396363336232633733626661336361623364623433303065383131373062663965
+34353033396636343165373061653834653862343962373630636630373164646139

host_vars/build.archlinux.org/misc

@@ -2,7 +2,7 @@
 hostname: "build.archlinux.org"
 network_interface: "enp195s0"
 ipv4_address: "135.181.138.48"
-ipv4_netmask: "/26"
+ipv4_netmask: "/32"
 ipv6_address: "2a01:4f9:3a:120f::2"
 ipv6_netmask: "/128"
 ipv4_gateway: "135.181.138.1"

hosts

 [hetzner]
 secure-runner1.archlinux.org
 gemini.archlinux.org
+build.archlinux.org
 
 [packet_net]
 runner2.archlinux.org

packer/archlinux.json

@@ -10,16 +10,17 @@
             "custom_image": "archlinux"
         },
         "token": "{{ user `hetzner_cloud_api_key` }}",
-        "image": "ubuntu-18.04",
+        "image": "ubuntu-20.04",
         "server_type": "cx11",
         "ssh_username": "root",
-        "location": "nbg1",
+        "location": "fsn1",
         "rescue": "linux64"
     }],
     "provisioners": [{
         "type": "ansible",
         "playbook_file": "playbooks/tasks/install_arch.yml",
         "host_alias": "packer-base-image",
-        "inventory_directory": "."
+        "inventory_directory": ".",
+        "use_proxy": false
     }]
 }

playbooks/tasks/install_arch.yml

@@ -9,5 +9,5 @@
   roles:
     - install_arch
   vars:
-    - bootstrap_version: "2021.04.01"
+    - bootstrap_version: "2022.03.01"
     - sshd_enable_includes: false

roles/archbuild/templates/makepkg.conf.j2

@@ -9,10 +9,10 @@
 #
 #-- The download utilities that makepkg should use to acquire sources
 #  Format: 'protocol::agent'
-DLAGENTS=('file::/usr/bin/curl -gqC - -o %o %u'
-          'ftp::/usr/bin/curl -gqfC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u'
-          'http::/usr/bin/curl -gqb "" -fLC - --retry 3 --retry-delay 3 -o %o %u'
-          'https::/usr/bin/curl -gqb "" -fLC - --retry 3 --retry-delay 3 -o %o %u'
+DLAGENTS=('file::/usr/bin/curl -qgC - -o %o %u'
+          'ftp::/usr/bin/curl -qgfC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u'
+          'http::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u'
+          'https::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u'
           'rsync::/usr/bin/rsync --no-motd -z %u %o'
           'scp::/usr/bin/scp -C %u %o')
 
@@ -24,6 +24,7 @@ DLAGENTS=('file::/usr/bin/curl -gqC - -o %o %u'
 #-- The package required by makepkg to download VCS sources
 #  Format: 'protocol::package'
 VCSCLIENTS=('bzr::bzr'
+            'fossil::fossil'
             'git::git'
             'hg::mercurial'
             'svn::subversion')
@@ -36,22 +37,27 @@ CARCH="x86_64"
 CHOST="x86_64-pc-linux-gnu"
 
 #-- Compiler and Linker Flags
-CPPFLAGS="-D_FORTIFY_SOURCE=2"
-CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt"
-CXXFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt"
+#CPPFLAGS=""
+CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \
+        -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security \
+        -fstack-clash-protection -fcf-protection"
+CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS"
 LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
+LTOFLAGS="-flto=auto"
+#RUSTFLAGS="-C opt-level=2"
 #-- Make Flags: change this for DistCC/SMP systems
 #MAKEFLAGS="-j2"
 MAKEFLAGS="-j{{ ansible_processor_vcpus + 1 }}"
 #-- Debugging flags
-DEBUG_CFLAGS="-g -fvar-tracking-assignments"
-DEBUG_CXXFLAGS="-g -fvar-tracking-assignments"
+DEBUG_CFLAGS="-g"
+DEBUG_CXXFLAGS="$DEBUG_CFLAGS"
+#DEBUG_RUSTFLAGS="-C debuginfo=2"
 
 #########################################################################
 # BUILD ENVIRONMENT
 #########################################################################
 #
-# Defaults: BUILDENV=(!distcc !color !ccache check !sign)
+# Makepkg defaults: BUILDENV=(!distcc !color !ccache check !sign)
 #  A negated environment option will do the opposite of the comments below.
 #
 #-- distcc:   Use the Distributed C/C++/ObjC compiler
@@ -74,7 +80,7 @@ BUILDENV=(!distcc color !ccache check !sign)
 #   These are default values for the options=() settings
 #########################################################################
 #
-# Default: OPTIONS=(!strip docs libtool staticlibs emptydirs !zipman !purge !debug)
+# Makepkg defaults: OPTIONS=(!strip docs libtool staticlibs emptydirs !zipman !purge !debug !lto)
 #  A negated option will do the opposite of the comments below.
 #
 #-- strip:      Strip symbols from binaries/libraries
@@ -85,11 +91,12 @@ BUILDENV=(!distcc color !ccache check !sign)
 #-- zipman:     Compress manual (man and info) pages in MAN_DIRS with gzip
 #-- purge:      Remove files specified by PURGE_TARGETS
 #-- debug:      Add debugging flags as specified in DEBUG_* variables
+#-- lto:        Add compile flags for building with link time optimization
 #
-OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !debug)
+OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !debug !lto)
 
-#-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
-INTEGRITY_CHECK=(md5)
+#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2
+INTEGRITY_CHECK=(sha256)
 #-- Options to be used when stripping binaries. See `man strip' for details.
 STRIP_BINARIES="--strip-all"
 #-- Options to be used when stripping shared libraries. See `man strip' for details.
@@ -132,16 +139,23 @@ SRCDEST="/var/lib/archbuilddest/srcdest"
 COMPRESSGZ=(gzip -c -f -n)
 COMPRESSBZ2=(bzip2 -c -f)
 COMPRESSXZ=(xz -c -z -)
+COMPRESSZST=(zstd -c -z -q -)
 COMPRESSLRZ=(lrzip -q)
 COMPRESSLZO=(lzop -q)
 COMPRESSZ=(compress -c -f)
+COMPRESSLZ4=(lz4 -q)
+COMPRESSLZ=(lzip -c -f)
 
 #########################################################################
 # EXTENSION DEFAULTS
 #########################################################################
 #
-# WARNING: Do NOT modify these variables unless you know what you are
-#          doing.
-#
-PKGEXT='.pkg.tar.xz'
+PKGEXT='.pkg.tar.zst'
 SRCEXT='.src.tar.gz'
+
+#########################################################################
+# OTHER
+#########################################################################
+#
+#-- Command used to run pacman as root, instead of trying sudo and su
+#PACMAN_AUTH=()

roles/archwiki/defaults/main.yml

@@ -4,7 +4,7 @@ archwiki_domain: 'wiki.archlinux.org'
 archwiki_nginx_conf: '/etc/nginx/nginx.d/archwiki.conf'
 archwiki_user: 'archwiki'
 archwiki_repository: 'https://github.com/archlinux/archwiki.git'
-archwiki_version: '1.37.1-4'
+archwiki_version: '1.37.2-1'
 archwiki_question_answer_file: '/srv/http/archwiki/registration-question-answer.txt'
 
 archwiki_socket: '/run/php-fpm/archwiki.socket'

roles/archwiki/templates/LocalSettings.php.j2

@@ -56,7 +56,7 @@ $wgDebugLogGroups = array(
 $wgMainCacheType = CACHE_MEMCACHED;
 $wgParserCacheType = CACHE_MEMCACHED;
 $wgMessageCacheType = CACHE_MEMCACHED;
-$wgMemCachedServers = [ "unix://{{ archwiki_memcached_socket }}:0" ];
+$wgMemCachedServers = [ "unix://{{ archwiki_memcached_socket }}" ];
 
 # security headers
 $wgReferrerPolicy = ["no-referrer-when-downgrade"];

roles/archwiki/templates/nginx.d.conf.j2

@@ -122,12 +122,16 @@ server {
         limit_req zone=archwikilimit burst=10 nodelay;
     }
 
-    # whitelist known OK directories
-    location ~ ^/(?:skins|resources|images|extensions/ArchLinux/modules|extensions/WikiEditor/modules/images/toolbar|extensions/CodeMirror/resources/mode/mediawiki/img)/ {
+    # MediaWiki assets
+    location ~ ^/(?:images|resources/(?:assets|lib|src)|(?:skins|extensions)/.+\.(?:css|js|gif|jpg|jpeg|png|svg|wasm)$) {
         expires 30d;
         add_header Pragma public;
         add_header Cache-Control "public, must-revalidate, proxy-revalidate";
     }
+    location /images/deleted {
+        # Deny access to deleted images folder
+        deny all;
+    }
 
     # block all other directories
     location ~ ^/[^/]+/ {

roles/aurweb/templates/nginx.d.conf.j2

@@ -10,6 +10,11 @@ upstream smartgit {
     server unix://{{ smartgit_socket }};
 }
 
+# limit Git requests to block Git DoS attempts.
+# # grep aurwebgitlimit /var/log/nginx/aur.archlinux.org/error.log | awk '{ print $14 }' | sort | uniq | sort
+limit_req_zone $binary_remote_addr zone=aurwebgitlimit:10m rate=30r/m;
+limit_req_status 429;
+
 server {
     listen       80;
     listen       [::]:80;
@@ -47,6 +52,7 @@ server {
     }
 
     location ~ "^/([a-z0-9][a-z0-9.+_-]*?)(\.git)?/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))$" {
+	limit_req zone=aurwebgitlimit burst=300 nodelay;
         include      uwsgi_params;
         uwsgi_pass   smartgit;
         uwsgi_modifier1 9;
@@ -58,6 +64,7 @@ server {
     }
 
     location ~ ^/cgit {
+        limit_req zone=aurwebgitlimit burst=300 nodelay;
         include uwsgi_params;
         rewrite ^/cgit/([^?/]+/[^?]*)?(?:\?(.*))?$ /cgit.cgi?url=$1&$2 last;
         uwsgi_modifier1 9;

roles/common/tasks/main.yml

@@ -84,15 +84,19 @@
     sysctl_file: /etc/sysctl.d/net.conf
   when: tcp_wmem is defined
 
-- name: configure journald
-  template: src={{ item }}.j2 dest=/etc/systemd/{{ item }} owner=root group=root mode=644
-  with_items:
+- name: create drop-in directories for systemd configuration
+  file: path=/etc/systemd/{{ item }}.d state=directory owner=root group=root mode=0755
+  loop:
+    - system.conf
     - journald.conf
+
+- name: install journald.conf overrides
+  template: src=journald.conf.j2 dest=/etc/systemd/journald.conf.d/override.conf owner=root group=root mode=644
   notify:
     - restart journald
 
-- name: install system.conf
-  template: src=system.conf.j2 dest=/etc/systemd/system.conf owner=root group=root mode=0644
+- name: install system.conf overrides
+  template: src=system.conf.j2 dest=/etc/systemd/system.conf.d/override.conf owner=root group=root mode=0644
   notify:
     - systemd daemon-reload
 

roles/common/templates/journald.conf.j2

-#  This file is part of systemd.
-#
-#  systemd is free software; you can redistribute it and/or modify it
-#  under the terms of the GNU Lesser General Public License as published by
-#  the Free Software Foundation; either version 2.1 of the License, or
-#  (at your option) any later version.
-#
-# Entries in this file show the compile time defaults.
-# You can change settings by editing this file.
-# Defaults can be restored by simply deleting this file.
-#
-# See journald.conf(5) for details.
-
 [Journal]
-#Storage=auto
-#Compress=yes
-#Seal=yes
-#SplitMode=uid
-#SyncIntervalSec=5m
-#RateLimitIntervalSec=30s
 RateLimitBurst=100000
-#SystemMaxUse=
-#SystemKeepFree=
-#SystemMaxFileSize=
 SystemMaxFiles=10000
-#RuntimeMaxUse=
-#RuntimeKeepFree=
-#RuntimeMaxFileSize=
-#RuntimeMaxFiles=100
-#MaxRetentionSec=
-#MaxFileSec=1month
-#ForwardToSyslog=no
-#ForwardToKMsg=no
-#ForwardToConsole=no
 ForwardToWall=no
-#TTYPath=/dev/console
-#MaxLevelStore=debug
-#MaxLevelSyslog=debug
-#MaxLevelKMsg=notice
-#MaxLevelConsole=info
-#MaxLevelWall=emerg
-#LineMax=48K
-#ReadKMsg=yes

roles/common/templates/mirrorlist.j2

-{% if 'mirrors' in group_names or 'buildservers' in group_names %}
+{% if 'buildservers' in group_names %}
+Server = https://repos.archlinux.org/$repo/os/$arch
+{% endif %}
+{% if 'mirrors' in group_names or inventory_hostname == 'gemini.archlinux.org' %}
 Server = file:///srv/ftp/$repo/os/$arch
 {% endif %}
-Server = https://mirror.pkgbuild.com/$repo/os/$arch/
+Server = https://mirror.pkgbuild.com/$repo/os/$arch

roles/common/templates/system.conf.j2

-#  This file is part of systemd.
-#
-#  systemd is free software; you can redistribute it and/or modify it
-#  under the terms of the GNU Lesser General Public License as published by
-#  the Free Software Foundation; either version 2.1 of the License, or
-#  (at your option) any later version.
-#
-# Entries in this file show the compile time defaults.
-# You can change settings by editing this file.
-# Defaults can be restored by simply deleting this file.
-#
-# See systemd-system.conf(5) for details.
-
 [Manager]
-#LogLevel=info
-#LogTarget=journal-or-kmsg
-#LogColor=yes
-#LogLocation=no
-#DumpCore=yes
-#ShowStatus=yes
-#CrashChangeVT=no
-#CrashShell=no
-#CrashReboot=no
-#CtrlAltDelBurstAction=reboot-force
-#CPUAffinity=1 2
 RuntimeWatchdogSec=5min
-#ShutdownWatchdogSec=10min
-#WatchdogDevice=
-#CapabilityBoundingSet=
-#NoNewPrivileges=no
-#SystemCallArchitectures=
-#TimerSlackNSec=
-#DefaultTimerAccuracySec=1min
-#DefaultStandardOutput=journal
-#DefaultStandardError=inherit
-#DefaultTimeoutStartSec=90s
-#DefaultTimeoutStopSec=90s
-#DefaultRestartSec=100ms
-#DefaultStartLimitIntervalSec=10s
-#DefaultStartLimitBurst=5
-#DefaultEnvironment=
-DefaultCPUAccounting=yes
-DefaultIOAccounting=no
-DefaultIPAccounting=no
-DefaultBlockIOAccounting=no
-DefaultMemoryAccounting=yes
-DefaultTasksAccounting=yes
-#DefaultTasksMax=15%
-#DefaultLimitCPU=
-#DefaultLimitFSIZE=
-#DefaultLimitDATA=
-#DefaultLimitSTACK=
-#DefaultLimitCORE=
-#DefaultLimitRSS=
-#DefaultLimitNOFILE=1024:524288
-#DefaultLimitAS=
-#DefaultLimitNPROC=
-#DefaultLimitMEMLOCK=
-#DefaultLimitLOCKS=
-#DefaultLimitSIGPENDING=
-#DefaultLimitMSGQUEUE=
-#DefaultLimitNICE=
-#DefaultLimitRTPRIO=
-#DefaultLimitRTTIME=

roles/dbscripts/templates/nginx.d.conf.j2

@@ -14,8 +14,6 @@ server {
     ssl_certificate_key  /etc/letsencrypt/live/{{ repos_domain }}/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/{{ repos_domain }}/chain.pem;
 
-    satisfy  any;
-
     access_log   /var/log/nginx/{{ repos_domain }}/access.log reduced;
     access_log   /var/log/nginx/{{ repos_domain }}/access.log.json json_reduced;
 
@@ -24,8 +22,18 @@ server {
     }
 
     location / {
+        satisfy any;
         auth_request /devel/mirrorauth/;
 
+{% for host in groups['buildservers'] | sort %}
+        # {{ host }}
+{% for address in ['ipv4_address', 'ipv6_address'] if address in hostvars[host] %}
+        allow {{ hostvars[host][address] }};
+{% else %}
+        # no addresses defined in hostvars
+{% endfor %}
+
+{% endfor %}
         autoindex  on;
     }
 
@@ -50,7 +58,7 @@ server {
 
         # Authentication to archweb
         proxy_pass https://archlinux.org;
-	proxy_ssl_verify on;
-	proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+        proxy_ssl_verify on;
+        proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
     }
 }

roles/geoipupdate/tasks/main.yml

@@ -4,18 +4,7 @@
   pacman: name=geoipupdate state=present
 
 - name: configure geoipupdate
-  lineinfile:
-    path: /etc/GeoIP.conf
-    regex: '^#*\s*{{ item.setting }} '
-    line: '{{ item.setting }} {{ item.value }}'
-    owner: root
-    group: root
-    mode: 0600
-  no_log: true
-  loop:
-    - { setting: AccountID, value: '{{ vault_mirror_maxmind_id }}' }
-    - { setting: LicenseKey, value: '{{ vault_mirror_maxmind_license }}' }
-    - { setting: EditionIDs, value: '{{ geoipupdate_edition_ids }}' }
+  template: src=GeoIP.conf.j2 dest=/etc/GeoIP.conf owner=root group=root mode=0600
 
 - name: create drop-in directory for geoipupdate.service
   file: path=/etc/systemd/system/geoipupdate.service.d state=directory owner=root group=root mode=0755

roles/geoipupdate/templates/GeoIP.conf.j2

+AccountID {{ vault_mirror_maxmind_id }}
+LicenseKey {{ vault_mirror_maxmind_license }}
+
+EditionIDs {{ geoipupdate_edition_ids }}