Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • antiz/infrastructure
  • okabe/infrastructure
  • eworm/infrastructure
  • polyzen/infrastructure
  • pitastrudl/infrastructure
  • sjon/infrastructure
  • torxed/infrastructure
  • jinmiaoluo/infrastructure
  • moson/infrastructure
  • serebit/infrastructure
  • ivabus/infrastructure
  • lb-wilson/infrastructure
  • gromit/infrastructure
  • matt-1-2-3/infrastructure
  • jocke-l/infrastructure
  • alucryd/infrastructure
  • maximbaz/infrastructure
  • ainola/infrastructure
  • segaja/infrastructure
  • nl6720/infrastructure
  • peanutduck/infrastructure
  • aminvakil/infrastructure
  • xenrox/infrastructure
  • felixonmars/infrastructure
  • denisse/infrastructure
  • artafinde/infrastructure
  • jleclanche/infrastructure
  • kpcyrd/infrastructure
  • metalmatze/infrastructure
  • kevr/infrastructure
  • dvzrv/infrastructure
  • dhoppe/infrastructure
  • ekkelett/infrastructure
  • seblu/infrastructure
  • lahwaacz/infrastructure
  • klausenbusk/infrastructure
  • alerque/infrastructure
  • hashworks/infrastructure
  • foxboron/infrastructure
  • shibumi/infrastructure
  • lambdaclan/infrastructure
  • ffy00/infrastructure
  • freswa/infrastructure
  • archlinux/infrastructure
44 results
Show changes
Hide whitespace changes
Inline Side-by-side
Showing
with 529 additions and 325 deletions
roles/borg_client/templates/borg-backup.sh.j2
View file @ 66f56fe4
......@@ -45,12 +45,6 @@ if systemctl is-active mysqld || systemctl is-active mariadb; then
/usr/local/bin/backup-mysql.sh || true
fi
{# When backing up to offsite, reuse the existing tarballs from the previous backup #}
{% if inventory_hostname == "gitlab.archlinux.org" and item['suffix'] != '-offsite' %}
# Create tarball backups of various GitLab directories using the official backup tool
systemctl is-active docker && /usr/local/bin/backup-gitlab.sh
{% endif %}
if is_btrfs "$src"; then
# List all btrfs submounts we want to backup, e.g. homedir.archlinux.org with "/ /home"
list_of_btrfs_submounts=$(findmnt -Rl -o target,fstype,options / | grep btrfs | grep -v docker | grep -v "subvol=\/[[:alnum:]]" | cut -d ' ' -f1)
......
roles/dbscripts/defaults/main.yml
View file @ 66f56fe4
---
dbscripts_commit: 20211216
dbscripts_commit: 20220131
dbscripts_update: true
dbscripts_pgp_emails: ['jelle@archlinux.org']
......
roles/dbscripts/templates/rsyncd.conf.proto.j2
View file @ 66f56fe4
......@@ -91,6 +91,15 @@ hosts deny = *
secrets file = /etc/rsyncd.secrets
max connections = 0
# Debug repositories
[debug_packages]
path = /srv/ftp
comment = debug packages
exclude = *
include = /*-debug/*** /pool /pool/*-debug/***
hosts allow = {{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | join(' ') }} {{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | join(' ') }} {{ hostvars['debuginfod.archlinux.org']['ipv4_address'] }} {{ hostvars['debuginfod.archlinux.org']['ipv6_address'] }}
max connections = 0
# Individual repositories
[core]
path = /srv/ftp/core
......
roles/debuginfod/defaults/main.yml 0 → 100644
View file @ 66f56fe4
---
debuginfod_httpd: false
debuginfod_domain: debuginfod.archlinux.org
debuginfod_port: 8002
debuginfod_database: /var/cache/debuginfod/debuginfod.sqlite
debuginfod_package_paths:
- /srv/ftp/pool/packages-debug
- /srv/ftp/pool/community-debug
roles/debuginfod/files/archlinux.png 0 → 100644
View file @ 66f56fe4
roles/debuginfod/files/archlinux.png

10.9 KiB

roles/debuginfod/files/index.html 0 → 100644
View file @ 66f56fe4
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Debuginfod service - Arch Linux</title>
</head>
<body>
<h1>Debuginfod service - Arch Linux</h1>
<img src="archlinux.png">
<p>This is the <a href="https://sourceware.org/elfutils/Debuginfod.html">debuginfod</a> service for Arch Linux. For more information about it, please refer to <a href="https://wiki.archlinux.org/title/Debuginfod">https://wiki.archlinux.org/title/Debuginfod</a>.</p>
<p>The following environment variable must be set in your shell to use it:</p>
<pre>DEBUGINFOD_URLS="https://debuginfod.archlinux.org"</pre>
<p>A dashboard can be found on <a href="https://dashboards.archlinux.org/d/U0xac1x7z/debuginfod?orgId=1">https://dashboards.archlinux.org/</a>.</p>
<p>List of currently available packages can be found on <a href="/packages">here</a>.</p>
</body>
</html>
roles/debuginfod/files/packagelist.service 0 → 100644
View file @ 66f56fe4
[Unit]
Description=Synchronize package list
[Service]
Type=oneshot
ExecStart=/usr/bin/bash -c "find /srv/ftp/pool/*-debug/ -type f -not -name *.sig > /srv/http/debuginfod/packages"
roles/debuginfod/files/packagelist.timer 0 → 100644
View file @ 66f56fe4
[Unit]
Description=Sync package lists every minute
[Timer]
OnCalendar=minutely
AccuracySec=1m
Persistent=true
[Install]
WantedBy=timers.target
roles/debuginfod/handlers/main.yml 0 → 100644
View file @ 66f56fe4
---
- name: reload debuginfod
service: name=debuginfod state=reloaded
roles/debuginfod/tasks/main.yml 0 → 100644
View file @ 66f56fe4
---
- name: install debuginfod
pacman: name=debuginfod state=present
- name: create ssl cert
include_role:
name: certificate
vars:
domains: ["{{ debuginfod_domain }}"]
when: debuginfod_domain
- name: configure debuginfod systemd service
template: src=debuginfod.service.j2 dest=/usr/lib/systemd/system/debuginfod.service owner=root group=root mode=0644
vars:
debuginfod_package_path: "{{ debuginfod_package_paths | join(' ') }}"
notify:
- reload debuginfod
- name: create http directory for debuginfod website files
file: path=/srv/http/debuginfod state=directory owner=root group=root mode=0755
- name: install website files
copy: src={{ item }} dest=/srv/http/debuginfod/{{ item }} owner=root group=root mode=0644
loop:
- archlinux.png
- index.html
- name: install packagelist units
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
loop:
- packagelist.timer
- packagelist.service
- name: start and enable packagelist.timer
service: name=packagelist.timer enabled=yes state=started
- name: make nginx log dir
file: path=/var/log/nginx/{{ debuginfod_domain }} state=directory owner=root group=root mode=0755
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/debuginfod.conf owner=root group=root mode=0644
notify:
- reload nginx
when: debuginfod_domain
tags: ['nginx']
- name: open debuginfod ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8002 accept"
tags:
- firewall
- name: start and enable debuginfod
service: name=debuginfod enabled=yes state=started
roles/debuginfod/templates/debuginfod.service.j2 0 → 100644
View file @ 66f56fe4
[Unit]
Description=debuginfod server
After=network.target network-online.target nss-lookup.target
[Service]
Type=simple
ExecStart=/usr/bin/debuginfod -d {{debuginfod_database}} -p {{debuginfod_port}} -F -Z .tar.zst=zstdcat {{debuginfod_package_path}}
Restart=on-failure
DynamicUser=yes
PrivateDevices=true
PrivateUsers=true
ProtectKernelTunables=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
ReadOnlyPaths={{debuginfod_package_path}}
CacheDirectory=debuginfod
[Install]
WantedBy=multi-user.target
roles/debuginfod/templates/nginx.d.conf.j2 0 → 100644
View file @ 66f56fe4
server {
listen 80;
listen [::]:80;
server_name {{ debuginfod_domain }};
access_log /var/log/nginx/{{ debuginfod_domain }}/access.log reduced;
access_log /var/log/nginx/{{ debuginfod_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ debuginfod_domain }}/error.log;
include snippets/letsencrypt.conf;
location / {
access_log off;
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ debuginfod_domain }};
access_log /var/log/nginx/{{ debuginfod_domain }}/access.log reduced;
access_log /var/log/nginx/{{ debuginfod_domain }}/access.log.json json_reduced;
error_log /var/log/nginx/{{ debuginfod_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ debuginfod_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ debuginfod_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ debuginfod_domain }}/chain.pem;
root /srv/http/debuginfod;
index index.html;
location / {
try_files $uri $uri/ @debuginfod;
}
location = /packages {
default_type "text/plain";
}
location @debuginfod {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://127.0.0.1:8002;
}
}
roles/gitlab/defaults/main.yml deleted 100644 → 0
View file @ 3c773eca
gitlab_backupdir: /srv/gitlab/data/backups
roles/grafana/files/dashboards/backups.json
View file @ 66f56fe4
......@@ -99,7 +99,7 @@
"targets": [
{
"exemplar": true,
"expr": "10000*2^30",
"expr": "10240*2^30",
"interval": "",
"legendFormat": "Quota",
"queryType": "randomWalk",
......@@ -115,7 +115,7 @@
},
{
"exemplar": true,
"expr": "10000*2^30 - hetzner_storage_box_size_bytes{instance=\"monitoring.archlinux.org\"}",
"expr": "10240*2^30 - hetzner_storage_box_size_bytes{instance=\"monitoring.archlinux.org\"}",
"hide": false,
"interval": "",
"legendFormat": "Snapshots",
......@@ -123,7 +123,7 @@
},
{
"exemplar": true,
"expr": "10000*2^30 - hetzner_storage_box_free_bytes{instance=\"monitoring.archlinux.org\"}",
"expr": "10240*2^30 - hetzner_storage_box_free_bytes{instance=\"monitoring.archlinux.org\"}",
"hide": false,
"interval": "",
"legendFormat": "Total Used",
......
roles/keycloak/templates/standalone.xml.j2
View file @ 66f56fe4
<?xml version='1.0' encoding='UTF-8'?>
<?xml version="1.0" ?>
<server xmlns="urn:jboss:domain:16.0">
<server xmlns="urn:jboss:domain:19.0">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>
<extension module="org.jboss.as.connector"/>
......@@ -14,7 +14,6 @@
<extension module="org.jboss.as.mail"/>
<extension module="org.jboss.as.naming"/>
<extension module="org.jboss.as.remoting"/>
<extension module="org.jboss.as.security"/>
<extension module="org.jboss.as.transactions"/>
<extension module="org.jboss.as.weld"/>
<extension module="org.keycloak.keycloak-server-subsystem"/>
......@@ -29,31 +28,6 @@
<extension module="org.wildfly.extension.undertow"/>
</extensions>
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
</security-realms>
<audit-log>
<formatters>
<json-formatter name="json-formatter"/>
......@@ -68,8 +42,8 @@
</logger>
</audit-log>
<management-interfaces>
<http-interface security-realm="ManagementRealm">
<http-upgrade enabled="true"/>
<http-interface http-authentication-factory="management-http-authentication">
<http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
......@@ -84,8 +58,69 @@
</access-control>
</management>
<profile>
<subsystem xmlns="urn:jboss:domain:logging:8.0">
<console-handler name="CONSOLE">
<level name="INFO"/>
<formatter>
<named-formatter name="COLOR-PATTERN"/>
</formatter>
</console-handler>
<periodic-rotating-file-handler name="FILE" autoflush="true">
<formatter>
<named-formatter name="PATTERN"/>
</formatter>
<file relative-to="jboss.server.log.dir" path="server.log"/>
<suffix value=".yyyy-MM-dd"/>
<append value="true"/>
</periodic-rotating-file-handler>
<logger category="com.arjuna">
<level name="WARN"/>
</logger>
<logger category="io.jaegertracing.Configuration">
<level name="WARN"/>
</logger>
<logger category="org.jboss.as.config">
<level name="DEBUG"/>
</logger>
<logger category="sun.rmi">
<level name="WARN"/>
</logger>
<root-logger>
<level name="INFO"/>
<handlers>
<handler name="CONSOLE"/>
<handler name="FILE"/>
</handlers>
</root-logger>
<formatter name="PATTERN">
<pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
</formatter>
<formatter name="COLOR-PATTERN">
<pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
</formatter>
</subsystem>
<subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
<subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
<subsystem xmlns="urn:jboss:domain:datasources:6.0">
<datasources>
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:postgresql://localhost:5432/{{ keycloak_db_name }}</connection-url>
<driver>postgresql</driver>
<security>
<user-name>{{ vault_keycloak_db_user }}</user-name>
<password>{{ vault_keycloak_db_password }}</password>
</security>
</datasource>
<drivers>
<driver name="postgresql" module="org.postgresql">
<xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
</driver>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
</subsystem>
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
</subsystem>
......@@ -146,45 +181,148 @@
</thread-pool>
</thread-pools>
<default-security-domain value="other"/>
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
</application-security-domains>
<default-missing-method-permissions-deny-access value="true"/>
<statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<log-system-exceptions value="true"/>
</subsystem>
<subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
<subsystem xmlns="urn:jboss:domain:io:3.0">
<worker name="default"/>
<buffer-pool name="default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
<subsystem xmlns="urn:jboss:domain:jca:5.0">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/>
<default-workmanager>
<short-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</short-running-threads>
<long-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</long-running-threads>
</default-workmanager>
<cached-connection-manager/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-extended-persistence-inheritance="DEEP"/>
<subsystem xmlns="urn:wildfly:elytron:15.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<providers>
<aggregate-providers name="combined-providers">
<providers name="elytron"/>
<providers name="openssl"/>
</aggregate-providers>
<provider-loader name="elytron" module="org.wildfly.security.elytron"/>
<provider-loader name="openssl" module="org.wildfly.openssl"/>
</providers>
<audit-logging>
<file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
</audit-logging>
<security-domains>
<security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
<realm name="ManagementRealm" role-decoder="groups-to-roles"/>
<realm name="local" role-mapper="super-user-mapper"/>
</security-domain>
<security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
<realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
<realm name="local"/>
</security-domain>
</security-domains>
<security-realms>
<identity-realm name="local" identity="$local"/>
<properties-realm name="ApplicationRealm">
<users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
<groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</properties-realm>
<properties-realm name="ManagementRealm">
<users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
<groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</properties-realm>
</security-realms>
<mappers>
<simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
<permission-mapping>
<principal name="anonymous"/>
<permission-set name="default-permissions"/>
</permission-mapping>
<permission-mapping match-all="true">
<permission-set name="login-permission"/>
<permission-set name="default-permissions"/>
</permission-mapping>
</simple-permission-mapper>
<constant-realm-mapper name="local" realm-name="local"/>
<simple-role-decoder name="groups-to-roles" attribute="groups"/>
<constant-role-mapper name="super-user-mapper">
<role name="SuperUser"/>
</constant-role-mapper>
</mappers>
<permission-sets>
<permission-set name="login-permission">
<permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
</permission-set>
<permission-set name="default-permissions">
<permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
<permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
</permission-set>
</permission-sets>
<http>
<http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="DIGEST">
<mechanism-realm realm-name="ManagementRealm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
<http-authentication-factory name="application-http-authentication" security-domain="ApplicationDomain" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="BASIC">
<mechanism-realm realm-name="ApplicationRealm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
<provider-http-server-mechanism-factory name="global"/>
</http>
<sasl>
<sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ManagementRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
<sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ApplicationRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
<configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
<properties>
<property name="wildfly.sasl.local-user.default-user" value="$local"/>
<property name="wildfly.sasl.local-user.challenge-path" value="${jboss.server.temp.dir}/auth"/>
</properties>
</configurable-sasl-server-factory>
<mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
<filters>
<filter provider-name="WildFlyElytron"/>
</filters>
</mechanism-provider-filtering-sasl-server-factory>
<provider-sasl-server-factory name="global"/>
</sasl>
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="application.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
</subsystem>
<subsystem xmlns="urn:jboss:domain:infinispan:12.0">
<cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
<subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
<subsystem xmlns="urn:jboss:domain:infinispan:13.0">
<cache-container name="ejb" default-cache="passivation" marshaller="PROTOSTREAM" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
</cache-container>
<cache-container name="keycloak" marshaller="JBOSS" modules="org.keycloak.keycloak-model-infinispan">
<local-cache name="realms">
<heap-memory size="10000"/>
</local-cache>
......@@ -207,15 +345,15 @@
</local-cache>
<local-cache name="actionTokens">
<heap-memory size="-1"/>
<expiration max-idle="-1" interval="300000"/>
<expiration interval="300000" max-idle="-1"/>
</local-cache>
</cache-container>
<cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
<cache-container name="server" default-cache="default" marshaller="PROTOSTREAM" modules="org.wildfly.clustering.server">
<local-cache name="default">
<transaction mode="BATCH"/>
</local-cache>
</cache-container>
<cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
<cache-container name="web" default-cache="passivation" marshaller="PROTOSTREAM" modules="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
......@@ -227,14 +365,7 @@
</local-cache>
<local-cache name="routing"/>
</cache-container>
<cache-container name="ejb" aliases="sfsb" default-cache="passivation" modules="org.wildfly.clustering.ejb.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
</cache-container>
<cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
<cache-container name="hibernate" marshaller="JBOSS" modules="org.infinispan.hibernate-cache">
<local-cache name="entity">
<heap-memory size="10000"/>
<expiration max-idle="100000"/>
......@@ -246,10 +377,44 @@
<local-cache name="timestamps"/>
</cache-container>
</subsystem>
<subsystem xmlns="urn:jboss:domain:io:3.0">
<worker name="default"/>
<buffer-pool name="default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
<subsystem xmlns="urn:jboss:domain:jca:5.0">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/>
<default-workmanager>
<short-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</short-running-threads>
<long-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</long-running-threads>
</default-workmanager>
<cached-connection-manager/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-extended-persistence-inheritance="DEEP"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
<providers>
<provider>classpath:${jboss.home.dir}/providers/*</provider>
<provider>
classpath:${jboss.home.dir}/providers/*
</provider>
</providers>
<master-realm-name>master</master-realm-name>
<scheduled-task-interval>900</scheduled-task-interval>
......@@ -328,65 +493,6 @@
<provider name="metrics-listener" enabled="true"/>
</spi>
</subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true" enable-http2="true"/>
<https-listener name="https" socket-binding="https" proxy-address-forwarding="true" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
<subsystem xmlns="urn:jboss:domain:logging:8.0">
<console-handler name="CONSOLE">
<level name="INFO"/>
<formatter>
<named-formatter name="COLOR-PATTERN"/>
</formatter>
</console-handler>
<periodic-rotating-file-handler name="FILE" autoflush="true">
<formatter>
<named-formatter name="PATTERN"/>
</formatter>
<file relative-to="jboss.server.log.dir" path="server.log"/>
<suffix value=".yyyy-MM-dd"/>
<append value="true"/>
</periodic-rotating-file-handler>
<logger category="com.arjuna">
<level name="WARN"/>
</logger>
<logger category="io.jaegertracing.Configuration">
<level name="WARN"/>
</logger>
<logger category="org.jboss.as.config">
<level name="DEBUG"/>
</logger>
<logger category="sun.rmi">
<level name="WARN"/>
</logger>
<root-logger>
<level name="INFO"/>
<handlers>
<handler name="CONSOLE"/>
<handler name="FILE"/>
</handlers>
</root-logger>
<formatter name="PATTERN">
<pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
</formatter>
<formatter name="COLOR-PATTERN">
<pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
</formatter>
</subsystem>
<subsystem xmlns="urn:jboss:domain:mail:4.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
......@@ -397,7 +503,7 @@
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
<http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="application-sasl-authentication"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
......@@ -407,175 +513,6 @@
</maximum-set>
</deployment-permissions>
</subsystem>
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jaspitest" cache-type="default">
<authentication-jaspi>
<login-module-stack name="dummy">
<login-module code="Dummy" flag="optional"/>
</login-module-stack>
<auth-module code="Dummy"/>
</authentication-jaspi>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:datasources:6.0">
<datasources>
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:postgresql://localhost:5432/{{ keycloak_db_name }}</connection-url>
<driver>postgresql</driver>
<security>
<user-name>{{ vault_keycloak_db_user }}</user-name>
<password>{{ vault_keycloak_db_password }}</password>
</security>
</datasource>
<drivers>
<driver name="postgresql" module="org.postgresql">
<xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
</driver>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
</subsystem>
<subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<providers>
<aggregate-providers name="combined-providers">
<providers name="elytron"/>
<providers name="openssl"/>
</aggregate-providers>
<provider-loader name="elytron" module="org.wildfly.security.elytron"/>
<provider-loader name="openssl" module="org.wildfly.openssl"/>
</providers>
<audit-logging>
<file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
</audit-logging>
<security-domains>
<security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
<realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
<realm name="local"/>
</security-domain>
<security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
<realm name="ManagementRealm" role-decoder="groups-to-roles"/>
<realm name="local" role-mapper="super-user-mapper"/>
</security-domain>
</security-domains>
<security-realms>
<identity-realm name="local" identity="$local"/>
<properties-realm name="ApplicationRealm">
<users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
<groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</properties-realm>
<properties-realm name="ManagementRealm">
<users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
<groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</properties-realm>
</security-realms>
<mappers>
<simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
<permission-mapping>
<principal name="anonymous"/>
<permission-set name="default-permissions"/>
</permission-mapping>
<permission-mapping match-all="true">
<permission-set name="login-permission"/>
<permission-set name="default-permissions"/>
</permission-mapping>
</simple-permission-mapper>
<constant-realm-mapper name="local" realm-name="local"/>
<simple-role-decoder name="groups-to-roles" attribute="groups"/>
<constant-role-mapper name="super-user-mapper">
<role name="SuperUser"/>
</constant-role-mapper>
</mappers>
<permission-sets>
<permission-set name="login-permission">
<permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
</permission-set>
<permission-set name="default-permissions">
<permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
<permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
</permission-set>
</permission-sets>
<http>
<http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="DIGEST">
<mechanism-realm realm-name="ManagementRealm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
<provider-http-server-mechanism-factory name="global"/>
</http>
<sasl>
<sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ApplicationRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
<sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ManagementRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
<configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
<properties>
<property name="wildfly.sasl.local-user.default-user" value="$local"/>
</properties>
</configurable-sasl-server-factory>
<mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
<filters>
<filter provider-name="WildFlyElytron"/>
</filters>
</mechanism-provider-filtering-sasl-server-factory>
<provider-sasl-server-factory name="global"/>
</sasl>
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="application.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
</subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:6.0">
<core-environment node-identifier="${jboss.tx.node.id:1}">
<process-id>
......@@ -586,6 +523,27 @@
<coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker http-authentication-factory="application-http-authentication"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
</application-security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:weld:4.0"/>
</profile>
<interfaces>
......@@ -608,4 +566,4 @@
<remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
</outbound-socket-binding>
</socket-binding-group>
</server>
</server>
\ No newline at end of file
roles/matrix/tasks/main.yml
View file @ 66f56fe4
......@@ -77,7 +77,7 @@
- name: install synapse
pip:
name:
- 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]==1.51.0'
- 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]==1.52.0'
state: latest
extra_args: '--upgrade-strategy=eager'
virtualenv: /var/lib/synapse/venv
......
roles/matrix/templates/homeserver.yaml.j2
View file @ 66f56fe4
......@@ -30,11 +30,11 @@
# documentation on how to configure or create custom modules for Synapse.
#
modules:
# - module: my_super_module.MySuperClass
# config:
# do_thing: true
# - module: my_other_super_module.SomeClass
# config: {}
#- module: my_super_module.MySuperClass
# config:
# do_thing: true
#- module: my_other_super_module.SomeClass
# config: {}
spam_checker:
- module: mjolnir.AntiSpam
......@@ -482,6 +482,20 @@ limit_remote_rooms:
#
#allow_per_room_profiles: false
# The largest allowed file size for a user avatar. Defaults to no restriction.
#
# Note that user avatar changes will not work if this is set without
# using Synapse's media repository.
#
#max_avatar_size: 10M
# The MIME types allowed for user avatars. Defaults to no restriction.
#
# Note that user avatar changes will not work if this is set without
# using Synapse's media repository.
#
#allowed_avatar_mimetypes: ["image/png", "image/jpeg", "image/gif"]
# How long to keep redacted events in unredacted form in the database. After
# this period redacted events get replaced with their redacted form in the DB.
#
......@@ -1452,6 +1466,16 @@ auto_join_mxid_localpart: mjolnir
#
auto_join_rooms_for_guests: false
# Whether to inhibit errors raised when registering a new account if the user ID
# already exists. If turned on, that requests to /register/available will always
# show a user ID as available, and Synapse won't raise an error when starting
# a registration with a user ID that already exists. However, Synapse will still
# raise an error if the registration completes and the username conflicts.
#
# Defaults to false.
#
#inhibit_user_in_use_error: true
## Metrics ###
......
roles/prometheus/defaults/main.yml
View file @ 66f56fe4
......@@ -3,6 +3,11 @@ gitlab_runner_exporter_port: '9252'
prometheus_domain: "{{ hostvars['dashboards.archlinux.org']['wireguard_address'] }}"
prometheus_mysqld_exporter_port: '9104'
prometheus_receive_only: false
prometheus_remote_write_relabel_configs:
- label: job
regex: debuginfod
- label: __name__
regex: "archive_directory_size_bytes|archive_total_packages|rebuilderd_results|rebuilderd_workers|rebuilderd_queue_length|repository_directory_size_bytes|aur_.+"
# for d in $(curl -sf "https://crt.sh/?q=archlinux.org&output=json" "https://crt.sh/?q=pkgbuild.com&output=json" | jq -r ".[].name_value" | sort -u); do if curl -o /dev/null -sS "https://$d"; then echo $d; fi; done | grep -v "\@" | sort | sed "s/^/ - https:\/\//"
blackbox_targets:
......@@ -57,6 +62,7 @@ blackbox_targets:
- mail.archlinux.org:465
- mail.archlinux.org:993
- coc.archlinux.org:443
- debuginfod.archlinux.org:443
smtp_starttls:
- mail.archlinux.org:25
- lists.archlinux.org:25
......
roles/prometheus/templates/prometheus.yml.j2
View file @ 66f56fe4
......@@ -14,14 +14,16 @@ alerting:
- localhost:9093
remote_write:
{% for relabel_config in prometheus_remote_write_relabel_configs %}
- url: http://{{ prometheus_domain }}:9090/api/v1/write
write_relabel_configs:
- source_labels: [__name__]
regex: "archive_directory_size_bytes|archive_total_packages|rebuilderd_results|rebuilderd_workers|rebuilderd_queue_length|repository_directory_size_bytes|aur_.+"
- source_labels: [{{ relabel_config.label }}]
regex: "{{ relabel_config.regex }}"
action: keep
basic_auth:
username: {{ vault_prometheus_user }}
password: {{ vault_prometheus_passwd }}
{% endfor %}
scrape_configs:
- job_name: prometheus
......@@ -67,6 +69,12 @@ scrape_configs:
{% endfor %}
- job_name: 'debuginfod'
static_configs:
- targets: ['{{ hostvars['debuginfod.archlinux.org']['wireguard_address'] }}:8002']
labels:
instance: "debuginfod.archlinux.org"
- job_name: 'gitlab_runner_exporter'
static_configs:
{% for host in groups['gitlab_runners'] %}
......
roles/syncdebug/files/syncdebug 0 → 100755
View file @ 66f56fe4
#!/bin/bash
target="/srv/ftp"
lock="/var/lock/syncdebug.lck"
source_url='rsync://rsync.archlinux.org/debug_packages'
lastupdate_url='https://rsync.archlinux.org/lastupdate'
[ ! -d "${target}" ] && mkdir -p "${target}"
exec 9>"${lock}"
flock -n 9 || exit
rsync_cmd() {
local -a cmd=(rsync -rlptH --safe-links --delete-delay --delay-updates
"--timeout=600" "--contimeout=60" --no-motd)
if stty &>/dev/null; then
cmd+=(-h -v --progress)
else
cmd+=("--info=name1")
fi
"${cmd[@]}" "$@"
}
# if we are called without a tty (cronjob) only run when there are changes
if ! tty -s && [[ -f "$target/lastupdate" ]] && diff -b <(curl -Ls "$lastupdate_url") "$target/lastupdate" >/dev/null; then
exit 0
fi
rsync_cmd \
--include="*-debug/***" \
--include="pool/" \
--include="pool/*-debug/***" \
--exclude="*" \
"${source_url}" \
"${target}"