roles/hetzner_storagebox/tasks/upload_client_authorized_keys.yml

 - name: Fill tempfile
-  copy: content="{{ lookup('template', 'authorized_keys_client.j2') }}" dest="{{ tempfile.path }}" mode=preserve
+  template: src=authorized_keys_client.j2 dest={{ tempfile.path }} mode=preserve
   no_log: true
 
 - name: Upload authorized_keys file to {{ backup_dir }}/{{ item.item }}

roles/install_arch/tasks/main.yml

@@ -27,11 +27,11 @@
 
 - name: Partition and format the disks (btrfs RAID)
   command: mkfs.btrfs -f -L root -d {{ raid_level | default('raid1') }} -m {{ raid_level | default('raid1') }} -O no-holes {{ system_disks | map('regex_replace', '^(.*)$', '\g<1>p2' if 'nvme' in system_disks[0] else '\g<1>2') | join(' ') }}
-  when: filesystem == "btrfs" and system_disks|length >= 2
+  when: filesystem == "btrfs" and system_disks | length >= 2
 
 - name: Partition and format the disks (btrfs single)
   command: mkfs.btrfs -f -L root -d single -m single -O no-holes {{ system_disks[0] }}{{ 'p2' if 'nvme' in system_disks[0] else '2' }}
-  when: filesystem == "btrfs" and system_disks|length == 1
+  when: filesystem == "btrfs" and system_disks | length == 1
 
 - name: Mount the filesystem (btrfs)
   mount: src="{{ system_disks[0] }}{{ 'p2' if 'nvme' in system_disks[0] else '2' }}" path=/mnt state=mounted fstype=btrfs opts="compress-force=zstd,space_cache=v2"

roles/mailman3/defaults/main.yml

@@ -45,11 +45,17 @@ lists:
   arch-general:
     description: General Discussion about Arch Linux
     display_name: Arch-general
-    info: "This mailing list hosts general discusson about the Arch Linux distribution.  Questions, problems, and new development ideas can be posted here.\n\nYou must be subscribed to the list in order to post to it."
+    info: |
+      This mailing list hosts general discusson about the Arch Linux distribution.  Questions, problems, and new development ideas can be posted here.
+
+      You must be subscribed to the list in order to post to it.
   arch-mirrors-announce:
     description: List for mirror admins to send announcements (like downtime notifications) to our users
     display_name: Arch-mirrors-announce
-    info: "This list is intended for admins of Arch Linux mirrors that want to notify our users about downtime of their mirror.\r\n\r\nThis list also accepts mails from non-subscribers."
+    info: |
+      This list is intended for admins of Arch Linux mirrors that want to notify our users about downtime of their mirror.
+
+      This list also accepts mails from non-subscribers.
   arch-mirrors:
     description: Arch Linux Mirroring Discussion and Announcements
     display_name: Arch-mirrors
@@ -67,7 +73,12 @@ lists:
   arch-projects:
     description: Arch Linux projects development discussion
     display_name: Arch-projects
-    info: "Announcements, development discussion, patches and pull requests for the Arch Linux projects:<ul><li><a target=\"blank\" href=\"https://github.com/archlinux/archweb/\">archweb</a> (patches preferably on Github as pull requests)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/arch-release-promotion/\">arch-release-promotion</a> (patches only on GitLab as merge requests)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/dbscripts/\">dbscripts</a> (patches preferably on GitLab as merge requests)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/devtools/\">devtools</a> (patches preferably on GitLab as merge requests)</li><li><a target=\"blank\" href=\"https://github.com/archlinux/mkinitcpio/\">mkinitcpio</a> (patches preferably on Github as pull requests)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/namcap/\">namcap</a> (patches preferably on GitLab as merge requests)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/netctl/\">netctl</a> (patches preferably on the mailing list)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/pyalpm/\">pyalpm</a> (patches preferably on GitLab as merge requests)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/repod/\">repod</a> (patches only on GitLab as merge requests)</li><li><a target=\"blank\" href=\"https://gitlab.archlinux.org/archlinux/shim-signed/\">shim-signed</a> (contributions preferably on GitLab as merge requests)</li></ul>\r\nPlease begin the email subject with the name of a project in square brackets (e.g. <code>[devtools]</code>). If no project matches, use <code>[projects]</code>.\r\n\r\nNote: No user discussion!"
+    info: |
+      Announcements, development discussion, patches and pull requests for the Arch Linux projects:<ul><li><a target="blank" href="https://github.com/archlinux/archweb/">archweb</a> (patches preferably on Github as pull requests)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/arch-release-promotion/">arch-release-promotion</a> (patches only on GitLab as merge requests)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/dbscripts/">dbscripts</a> (patches preferably on GitLab as merge requests)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/devtools/">devtools</a> (patches preferably on GitLab as merge requests)</li><li><a target="blank" href="https://github.com/archlinux/mkinitcpio/">mkinitcpio</a> (patches preferably on Github as pull requests)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/namcap/">namcap</a> (patches preferably on GitLab as merge requests)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/netctl/">netctl</a> (patches preferably on the mailing list)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/pyalpm/">pyalpm</a> (patches preferably on GitLab as merge requests)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/repod/">repod</a> (patches only on GitLab as merge requests)</li><li><a target="blank" href="https://gitlab.archlinux.org/archlinux/shim-signed/">shim-signed</a> (contributions preferably on GitLab as merge requests)</li></ul>
+
+      Please begin the email subject with the name of a project in square brackets (e.g. <code>[devtools]</code>). If no project matches, use <code>[projects]</code>.
+
+      Note: No user discussion!
   arch-releng:
     description: Arch Linux Release Engineering
     display_name: Arch-releng
@@ -85,12 +96,16 @@ lists:
   arch-wiki-admins:
     advertised: false
     archive_policy: private
+    default_nonmember_action: defer
     display_name: Arch-wiki-admins
     subscription_policy: confirm_then_moderate
   arch-women:
     description: Mailing list for the Arch Women project
     display_name: Arch-women
-    info: "<a href=\"https://archwomen.org/\">Arch Women</a> is an all inclusive organization of Arch Linux enthusiasts with a focus on helping more women become involved in the Arch Linux community and FOSS.\r\n\r\nMailing list graciously hosted by the Arch Linux™ project."
+    info: |
+      <a href="https://archwomen.org/">Arch Women</a> is an all inclusive organization of Arch Linux enthusiasts with a focus on helping more women become involved in the Arch Linux community and FOSS.
+
+      Mailing list graciously hosted by the Arch Linux™ project.
   aur-dev:
     description: Arch User Repository (AUR) Development
     display_name: Aur-dev

roles/mailman3/tasks/main.yml

 - name: Install mailman3 and related packages
-  pacman: name=mailman3,mailman3-hyperkitty,python-psycopg2,mailman-web,uwsgi-plugin-python state=present
+  pacman: name=mailman3,mailman3-hyperkitty,python-psycopg2,mailman-web,python-xapian-haystack,uwsgi-plugin-python state=present
   register: install
 
 - name: Install {mailman,mailman-web} configuration
@@ -69,7 +69,7 @@
     - mailman3-notify.timer
     - uwsgi@mailman\x2dweb.service
 
-- name: update list configurations
+- name: Update list configurations
   uri:
     url: http://localhost:8001/3.1/lists/{{ item }}.lists.archlinux.org/config
     user: "{{ vault_mailman_admin_user }}"

roles/mailman3/templates/nginx.d.conf.j2

@@ -10,8 +10,8 @@ server {
     access_log   /var/log/nginx/{{ lists_domain }}/access.log.json json_main;
     error_log    /var/log/nginx/{{ lists_domain }}/error.log;
 
-    location /static {
-      alias /var/lib/mailman-web/static;
+    location /static/ {
+      alias /var/lib/mailman-web/static/;
     }
 
     # include uwsgi_params

roles/mailman3/templates/settings.py.j2

@@ -51,7 +51,7 @@ HYPERKITTY_ENABLE_GRAVATAR = False
 
 HAYSTACK_CONNECTIONS = {
     'default': {
-        'ENGINE': 'haystack.backends.whoosh_backend.WhooshEngine',
-        'PATH': '/var/lib/mailman-web/fulltext_index'
+        'ENGINE': 'xapian_backend.XapianEngine',
+        'PATH': '/var/lib/mailman-web/xapian_index'
     }
 }

roles/maintenance/tasks/main.yml

@@ -6,7 +6,7 @@
 
 - name: Create the service http root dir
   file: path={{ maintenance_http_dir }}/{{ service_domain }} state=directory owner=root group=root mode=0755
-  when: maintenance is defined and maintenance|bool
+  when: maintenance is defined and maintenance | bool
 
 - name: Set up nginx maintenance mode
   template:
@@ -16,7 +16,7 @@
     group: root
     mode: 0644
   notify: Reload nginx
-  when: service_nginx_template is not defined and maintenance is defined and maintenance|bool
+  when: service_nginx_template is not defined and maintenance is defined and maintenance | bool
 
 - name: Set up custom nginx maintenance mode
   template:
@@ -26,7 +26,7 @@
     group: root
     mode: 0644
   notify: Reload nginx
-  when: service_nginx_template is defined and maintenance is defined and maintenance|bool
+  when: service_nginx_template is defined and maintenance is defined and maintenance | bool
 
 - name: Create the 503 html file
   template:
@@ -35,7 +35,7 @@
     owner: root
     group: root
     mode: 0644
-  when: maintenance is defined and maintenance|bool
+  when: maintenance is defined and maintenance | bool
 
 - name: Force reload nginx
   meta: flush_handlers

roles/matrix/tasks/main.yml

@@ -229,7 +229,7 @@
   notify:
     - Restart synapse
 
-- name: Install signing key
+- name: Install signing key  # noqa template-instead-of-copy
   copy:
     content: '{{ vault_matrix_secrets.signing_key }}'
     dest: /etc/synapse/{{ matrix_server_name }}.signing.key
@@ -237,7 +237,7 @@
     group: synapse
     mode: 0640
 
-- name: Install ircpass key
+- name: Install ircpass key  # noqa template-instead-of-copy
   copy:
     content: '{{ vault_matrix_secrets.ircpass_key }}'
     dest: /etc/synapse/{{ matrix_server_name }}.ircpass.key

roles/networking/tasks/main.yml

@@ -12,8 +12,8 @@
       copy: src=dns.conf dest={{ chroot_path }}/etc/systemd/network/10-static-ethernet.network.d/dns.conf owner=root group=root mode=0644
       notify:
         - Restart networkd
-      when: static_dns|default(true)
-  when: not dhcp|default(false)
+      when: static_dns | default(true)
+  when: not dhcp | default(false)
 
 - name: Configure network (dhcp)
   block:
@@ -29,8 +29,8 @@
       copy: src=dns.conf dest={{ chroot_path }}/etc/systemd/network/10-dhcp-ethernet.network.d/dns.conf owner=root group=root mode=0644
       notify:
         - Restart networkd
-      when: static_dns|default(false)
-  when: dhcp|default(false)
+      when: static_dns | default(false)
+  when: dhcp | default(false)
 
 - name: Create symlink to resolv.conf
   file: src=/run/systemd/resolve/stub-resolv.conf dest={{ chroot_path }}/etc/resolv.conf state=link force=yes follow=no owner=root group=root

roles/postfix_null/meta/main.yml

+galaxy_info:
+  description: postfix_null role
+  standalone: false
+
 dependencies:
   - role: postfwd
     delegate_to: mail.archlinux.org

roles/postfix_null/tasks/main.yml

@@ -11,7 +11,7 @@
 
 - name: Create user account on mail to relay with
   delegate_to: mail.archlinux.org
-  user:
+  ansible.builtin.user:
     name: "{{ inventory_hostname_short }}"
     comment: "SMTP Relay Account for {{ inventory_hostname }}"
     group: nobody

roles/rspamd/meta/main.yml

+galaxy_info:
+  description: rspamd role
+  standalone: false
+
 dependencies:
   - role: redis

roles/rspamd/tasks/main.yml

@@ -22,11 +22,11 @@
 #
 # the ouput gives you the DNS entries to add to the terraform files.
 # The keys generated need to go to the vault:
-# roles/rspamd/files/archlinux.org.dkim-rsa.key
-# roles/rspamd/files/archlinux.org.dkim-ed25519.key
+# roles/rspamd/files/archlinux.org.dkim-rsa.key.vault
+# roles/rspamd/files/archlinux.org.dkim-ed25519.key.vault
 #
 - name: Install DKIM keys
-  copy: src={{ item }} dest=/var/lib/rspamd/dkim/ owner=rspamd group=rspamd mode=0600
+  copy: src={{ item }}.vault dest=/var/lib/rspamd/dkim/{{ item }} owner=rspamd group=rspamd mode=0600
   loop:
     - "{{ rspamd_dkim_domain }}.dkim-ed25519.key"
     - "{{ rspamd_dkim_domain }}.dkim-rsa.key"

roles/rsync_net/tasks/main.yml

@@ -18,7 +18,7 @@
   register: tempfile
 
 - name: Fill tempfile  # noqa risky-file-permissions
-  copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}" mode=0644
+  template: src=authorized_keys.j2 dest={{ tempfile.path }} mode=0644
 
 - name: Upload authorized_keys file
   expect:

tf-stage2/keycloak.tf

@@ -891,3 +891,29 @@ resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_ma
 
   claim_name = "groups"
 }
+
+resource "keycloak_openid_client" "buildbot_openid_client" {
+  realm_id  = "archlinux"
+  client_id = "openid_buildbot"
+
+  name    = "Buildbot"
+  enabled = true
+
+  access_type           = "PUBLIC"
+  standard_flow_enabled = true
+  valid_redirect_uris = [
+    "https://buildbot.pkgbuild.com/*",
+    "http://127.0.0.1:5000/*",
+  ]
+}
+
+resource "keycloak_openid_user_realm_role_protocol_mapper" "buildbot_user_realm_role_mapper" {
+  realm_id  = "archlinux"
+  client_id = keycloak_openid_client.buildbot_openid_client.id
+  name      = "user realms"
+
+  claim_name          = "roles"
+  multivalued         = true
+  add_to_id_token     = false
+  add_to_access_token = false
+}