roles/archbuild/files/gitpkg

@@ -426,7 +426,7 @@ if gitify
     package: case
     when meson
       <<~END
-        DESTDIR="$pkgdir" meson install -C build
+        meson install -C build --destdir "$pkgdir"
       END
     end,
   }.reverse_each do |name, content|

roles/aurweb/tasks/main.yml

@@ -17,6 +17,7 @@
       - python-fastapi
       - python-jinja
       - python-email-validator
+      - python-orjson
       - sudo
       - uwsgi-plugin-cgi
 

roles/aurweb/templates/aurweb-mkpkglists.service.j2

@@ -6,7 +6,7 @@ After=mysqld.service
 [Service]
 Type=oneshot
 User={{ aurweb_user }}
-ExecStart=/usr/local/bin/aurweb-mkpkglists
+ExecStart=/usr/local/bin/aurweb-mkpkglists --extended
 
 NoNewPrivileges=true
 LockPersonality=true

roles/aurweb/templates/config.j2

@@ -41,5 +41,7 @@ server = https://mirror.pkgbuild.com/%s/os/x86_64
 
 [mkpkglists]
 packagesfile = {{ aurweb_dir }}/web/html/packages.gz
+packagesmetafile = {{ aurweb_dir }}/web/html/packages-meta-v1.json.gz
+packagesmetaextfile = {{ aurweb_dir }}/web/html/packages-meta-ext-v1.json.gz
 pkgbasefile = {{ aurweb_dir }}/web/html/pkgbase.gz
 userfile = {{ aurweb_dir }}/web/html/users.gz

roles/dbscripts/templates/rsyncd.conf.proto.j2

@@ -31,19 +31,19 @@ hosts deny = *
 [ftp]
 	path = /srv/ftp
 	comment = ftp area (most mirrors should use this)
-	exclude = /archive/ /other/ /sources/
+	exclude = /archive/ /other/ /sources/ /*-debug/ /pool/*-debug/
 
 [ftp_tier1]
 	path = /srv/ftp
 	comment = ftp area (most mirrors should use this)
-	exclude = /archive/ /other/ /sources/
+	exclude = /archive/ /other/ /sources/ /*-debug/ /pool/*-debug/
 	hosts allow = @@ALLOWHOSTS_TIER1@@
 	max connections = 0
 
 [ftp_auth]
 	path = /srv/ftp
 	comment = ftp area, passworded (same as 'ftp')
-	exclude = /archive/ /other/ /sources/
+	exclude = /archive/ /other/ /sources/ /*-debug/ /pool/*-debug/
 	hosts allow = *
 	auth users = *
 	secrets file = /etc/rsyncd.secrets

roles/loki/files/loki.yaml

-# Enables authentication through the X-Scope-OrgID header, which must be present
-# if true. If false, the OrgID will always be set to "fake".
 auth_enabled: false
 
 server:
@@ -8,24 +6,22 @@ server:
   grpc_listen_address: 127.0.0.1
   grpc_listen_port: 9095
 
+common:
+  path_prefix: /var/lib/loki
+  storage:
+    filesystem:
+      chunks_directory: /var/lib/loki/chunks
+      rules_directory: /var/lib/loki/rules
+  replication_factor: 1
+  ring:
+    instance_addr: 127.0.0.1
+    kvstore:
+      store: inmemory
+
 ingester:
   wal:
-    enabled: true
-    dir: /var/lib/loki/wal
     replay_memory_ceiling: 200MB
-  lifecycler:
-    address: 127.0.0.1
-    ring:
-      kvstore:
-        store: inmemory
-      replication_factor: 1
-    final_sleep: 0s
-  chunk_idle_period: 1h       # Any chunk not receiving new logs in this time will be flushed
-  max_chunk_age: 1h           # All chunks will be flushed when they hit this age, default is 1h
-  chunk_target_size: 1536000  # Loki will attempt to build chunks up to 1.5MB, flushing first if chunk_idle_period or max_chunk_age is reached first
   chunk_encoding: zstd
-  chunk_retain_period: 30s    # Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m)
-  max_transfer_retries: 0     # Chunk transfers disabled
 
 schema_config:
   configs:
@@ -37,27 +33,10 @@ schema_config:
         prefix: index_
         period: 24h
 
-storage_config:
-  boltdb_shipper:
-    active_index_directory: /var/lib/loki/boltdb-shipper-active
-    cache_location: /var/lib/loki/boltdb-shipper-cache
-    cache_ttl: 24h         # Can be increased for faster performance over longer query periods, uses more disk space
-    shared_store: filesystem
-  filesystem:
-    directory: /var/lib/loki/chunks
-
 compactor:
-  working_directory: /var/lib/loki/boltdb-shipper-compactor
-  shared_store: filesystem
+  retention_enabled: true
 
 limits_config:
-  reject_old_samples: true
-  reject_old_samples_max_age: 168h
   max_query_series: 10000
-
-chunk_store_config:
-  max_look_back_period: 2184h
-
-table_manager:
-  retention_deletes_enabled: true
-  retention_period: 2184h  # 91 days
+  retention_period: 91d
+  max_query_lookback: 91d

roles/matrix/defaults/main.yml

@@ -2,6 +2,12 @@
 
 matrix_max_upload_size: 50M
 matrix_nginx_config:
+  - name: mjolnir
+    port: 8010
+    locations:
+      - path: "~ ^/_matrix/client/r0/rooms/([^/]*)/report/(.*)$"
+        pass: "/api/1/report/$1/$2"
+        add_cors: true
   - name: federation_reader
     port: 8011
     locations:

roles/matrix/tasks/main.yml

@@ -77,7 +77,7 @@
 - name: install synapse
   pip:
     name:
-      - 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]==1.45.1'
+      - 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]==1.47.1'
     state: latest
     extra_args: '--upgrade-strategy=eager'
     virtualenv: /var/lib/synapse/venv
@@ -105,7 +105,7 @@
   git:
     repo: https://github.com/matrix-org/mjolnir
     dest: /var/lib/synapse/mjolnir
-    version: v1.1.20
+    version: v1.2.1
   become: true
   become_user: synapse
   become_method: sudo

roles/matrix/templates/homeserver.yaml.j2

@@ -91,8 +91,28 @@ server_name: "{{ matrix_server_name }}"
 # Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
 # 'listeners' below).
 #
+# Defaults to 'https://<server_name>/'.
+#
 public_baseurl: https://{{ matrix_domain }}/
 
+# Uncomment the following to tell other servers to send federation traffic on
+# port 443.
+#
+# By default, other servers will try to reach our server on port 8448, which can
+# be inconvenient in some environments.
+#
+# Provided 'https://<server_name>/' on port 443 is routed to Synapse, this
+# option configures Synapse to serve a file at
+# 'https://<server_name>/.well-known/matrix/server'. This will tell other
+# servers to send traffic to port 443 instead.
+#
+# See https://matrix-org.github.io/synapse/latest/delegate.html for more
+# information.
+#
+# Defaults to 'false'.
+#
+#serve_server_wellknown: true
+
 # Set the soft limit on the number of file descriptors synapse can use
 # Zero is used to indicate synapse should set the soft limit to the
 # hard limit.
@@ -483,6 +503,48 @@ limit_remote_rooms:
 #
 #user_ips_max_age: 14d
 
+# Inhibits the /requestToken endpoints from returning an error that might leak
+# information about whether an e-mail address is in use or not on this
+# homeserver.
+# Note that for some endpoints the error situation is the e-mail already being
+# used, and for others the error is entering the e-mail being unused.
+# If this option is enabled, instead of returning an error, these endpoints will
+# act as if no error happened and return a fake session ID ('sid') to clients.
+#
+#request_token_inhibit_3pid_errors: true
+
+# A list of domains that the domain portion of 'next_link' parameters
+# must match.
+#
+# This parameter is optionally provided by clients while requesting
+# validation of an email or phone number, and maps to a link that
+# users will be automatically redirected to after validation
+# succeeds. Clients can make use this parameter to aid the validation
+# process.
+#
+# The whitelist is applied whether the homeserver or an
+# identity server is handling validation.
+#
+# The default value is no whitelist functionality; all domains are
+# allowed. Setting this value to an empty list will instead disallow
+# all domains.
+#
+#next_link_domain_whitelist: ["matrix.org"]
+
+# Templates to use when generating email or HTML page contents.
+#
+templates:
+  # Directory in which Synapse will try to find template files to use to generate
+  # email or HTML page contents.
+  # If not set, or a file is not found within the template directory, a default
+  # template from within the Synapse package will be used.
+  #
+  # See https://matrix-org.github.io/synapse/latest/templates.html for more
+  # information about using custom templates.
+  #
+  #custom_template_directory: /path/to/custom/templates/
+
+
 # Message retention policy at the server level.
 #
 # Room admins and mods can define a retention period for their rooms using the
@@ -552,47 +614,6 @@ retention:
     - shortest_max_lifetime: 3d
       interval: 1d
 
-# Inhibits the /requestToken endpoints from returning an error that might leak
-# information about whether an e-mail address is in use or not on this
-# homeserver.
-# Note that for some endpoints the error situation is the e-mail already being
-# used, and for others the error is entering the e-mail being unused.
-# If this option is enabled, instead of returning an error, these endpoints will
-# act as if no error happened and return a fake session ID ('sid') to clients.
-#
-#request_token_inhibit_3pid_errors: true
-
-# A list of domains that the domain portion of 'next_link' parameters
-# must match.
-#
-# This parameter is optionally provided by clients while requesting
-# validation of an email or phone number, and maps to a link that
-# users will be automatically redirected to after validation
-# succeeds. Clients can make use this parameter to aid the validation
-# process.
-#
-# The whitelist is applied whether the homeserver or an
-# identity server is handling validation.
-#
-# The default value is no whitelist functionality; all domains are
-# allowed. Setting this value to an empty list will instead disallow
-# all domains.
-#
-#next_link_domain_whitelist: ["matrix.org"]
-
-# Templates to use when generating email or HTML page contents.
-#
-templates:
-  # Directory in which Synapse will try to find template files to use to generate
-  # email or HTML page contents.
-  # If not set, or a file is not found within the template directory, a default
-  # template from within the Synapse package will be used.
-  #
-  # See https://matrix-org.github.io/synapse/latest/templates.html for more
-  # information about using custom templates.
-  #
-  #custom_template_directory: /path/to/custom/templates/
-
 
 ## TLS ##
 
@@ -1268,7 +1289,7 @@ registration_shared_secret: "{{ vault_matrix_secrets.registration_shared_secret
 # in on this server.
 #
 # (By default, no suggestion is made, so it is left up to the client.
-# This setting is ignored unless public_baseurl is also set.)
+# This setting is ignored unless public_baseurl is also explicitly set.)
 #
 default_identity_server: https://matrix.org
 
@@ -1293,8 +1314,6 @@ default_identity_server: https://matrix.org
 # by the Matrix Identity Service API specification:
 # https://matrix.org/docs/spec/identity_service/latest
 #
-# If a delegate is specified, the config option public_baseurl must also be filled out.
-#
 account_threepid_delegates:
     #email: https://example.com     # Delegate email sending to example.com
     msisdn: https://vector.im
@@ -2005,11 +2024,10 @@ sso:
     # phishing attacks from evil.site. To avoid this, include a slash after the
     # hostname: "https://my.client/".
     #
-    # If public_baseurl is set, then the login fallback page (used by clients
-    # that don't natively support the required login flows) is whitelisted in
-    # addition to any URLs in this list.
+    # The login fallback page (used by clients that don't natively support the
+    # required login flows) is whitelisted in addition to any URLs in this list.
     #
-    # By default, this list is empty.
+    # By default, this list contains only the login fallback page.
     #
     #client_whitelist:
     #  - https://riot.im/develop
@@ -2303,34 +2321,6 @@ email:
     #email_validation: "[%(server_name)s] Validate your email"
 
 
-# Password providers allow homeserver administrators to integrate
-# their Synapse installation with existing authentication methods
-# ex. LDAP, external tokens, etc.
-#
-# For more information and known implementations, please see
-# https://matrix-org.github.io/synapse/latest/password_auth_providers.html
-#
-# Note: instances wishing to use SAML or CAS authentication should
-# instead use the `saml2_config` or `cas_config` options,
-# respectively.
-#
-password_providers:
-#    # Example config for an LDAP auth provider
-#    - module: "ldap_auth_provider.LdapAuthProvider"
-#      config:
-#        enabled: true
-#        uri: "ldap://ldap.example.com:389"
-#        start_tls: true
-#        base: "ou=users,dc=example,dc=com"
-#        attributes:
-#           uid: "cn"
-#           mail: "email"
-#           name: "givenName"
-#        #bind_dn:
-#        #bind_password:
-#        #filter: "(objectClass=posixAccount)"
-
-
 
 ## Push ##
 

roles/matrix/templates/mjolnir.yaml.j2

@@ -2,6 +2,11 @@
 # pantalaimon if you're using that.
 homeserverUrl: "http://127.0.0.1:8009"
 
+
+# Where the homeserver is located (client-server URL). NOT panalaimon.
+rawHomeserverUrl: "http://127.0.0.1:8008"
+
+
 # The access token for the bot to use. Do not populate if using Pantalaimon.
 accessToken: ""
 
@@ -159,4 +164,31 @@ health:
     # Defaults to 418.
     unhealthyStatus: 418
 
+# Options for exposing web APIs.
+web:
+  # Whether to enable web APIs.
+  enabled: true
+
+  # The port to expose the webserver on. Defaults to 8080.
+  port: 8010
+
+  # The address to listen for requests on. Defaults to only the current
+  # computer.
+  address: localhost
+
+  # Alternative setting to open to the entire web. Be careful,
+  # as this will increase your security perimeter:
+  #
+  #  address: "0.0.0.0"
+
+  # A web API designed to intercept Matrix API
+  # POST /_matrix/client/r0/rooms/{roomId}/report/{eventId}
+  # and display readable abuse reports in the moderation room.
+  #
+  # If you wish to take advantage of this feature, you will need
+  # to configure a reverse proxy, see e.g. test/nginx.conf
+  abuseReporting:
+    # Whether to enable this feature.
+    enabled: true
+
 # vim:set ft=yaml:

roles/matrix/templates/nginx.d.conf.j2

@@ -30,17 +30,25 @@ server {
     access_log   /var/log/nginx/{{ matrix_domain }}/access.log.json json_reduced;
     error_log    /var/log/nginx/{{ matrix_domain }}/error.log;
 
-    ssl_certificate      /etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/{{ matrix_domain }}/privkey.pem;
+    ssl_certificate         /etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/{{ matrix_domain }}/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/{{ matrix_domain }}/chain.pem;
 
 {% for config in matrix_nginx_config %}
     # {{ config.name }}
 {% for location in config.locations %}
-    location {{ location }} {
-        access_log   /var/log/nginx/{{ matrix_domain }}/access.log main;
-        access_log   /var/log/nginx/{{ matrix_domain }}/access.log.json json_main;
-        proxy_pass http://matrix_{{ config.name }};
+{% if location is string %}
+{% set location = { 'path': location } %}
+{% endif %}
+    location {{ location.path }} {
+        access_log /var/log/nginx/{{ matrix_domain }}/access.log main;
+        access_log /var/log/nginx/{{ matrix_domain }}/access.log.json json_main;
+{% if location.add_cors | default(false) %}
+        add_header Access-Control-Allow-Origin *;
+        add_header Access-Control-Allow-Methods "GET, HEAD, POST, PUT, DELETE, OPTIONS";
+        add_header Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization, Date";
+{% endif %}
+        proxy_pass http://matrix_{{ config.name }}{{ location.pass | default('') }};
         proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header Host $host;

tf-stage1/templates.tf

@@ -110,7 +110,7 @@ resource "hcloud_server" "machine" {
   name        = each.key
   image       = data.hcloud_image.archlinux.id
   server_type = each.value.server_type
-  location    = "hel1"
+  location    = "fsn1"
   lifecycle {
     ignore_changes = [image, location]
   }