roles/archwiki/defaults/main.yml

@@ -2,8 +2,8 @@ archwiki_dir: '/srv/http/archwiki'
 archwiki_domain: 'wiki.archlinux.org'
 archwiki_nginx_conf: '/etc/nginx/nginx.d/archwiki.conf'
 archwiki_user: 'archwiki'
-archwiki_repository: 'https://github.com/archlinux/archwiki.git'
-archwiki_version: '1.41.0-2'
+archwiki_repository: 'https://gitlab.archlinux.org/archlinux/archwiki.git'
+archwiki_version: '1.41.0-3'
 archwiki_question_answer_file: '/srv/http/archwiki/registration-question-answer.txt'
 
 archwiki_socket: '/run/php-fpm/archwiki.socket'

roles/bugbuddy/files/bugbuddy-download.sh

@@ -64,7 +64,7 @@ for uid in "${TRUSTED_UIDs[@]}"; do
 done
 
 for fp in "${TRUSTED_KEYS[@]}"; do
-	sq --force link add --all "${fp}"
+	sq --force pki link add --all "${fp}"
 done
 
 verified=0

roles/dbscripts/defaults/main.yml

-dbscripts_commit: c268f0140a86f390657b3bcfc36c6bd9aaa5ba4f
+dbscripts_commit: 7e5df6a5adb4b9c4531568a5113020daad3af5b0
 dbscripts_update: true
 dbscripts_pgp_emails: ['jelle@archlinux.org', 'anthraxx@archlinux.org']
 

roles/fail2ban/files/fail2ban.xml

+<?xml version="1.0" encoding="utf-8"?>
+<ipset type="hash:net">
+</ipset>

roles/fail2ban/tasks/main.yml

@@ -36,8 +36,8 @@
 
 - name: Install firewallcmd-allports.local
   template:
-    src: "firewallcmd-allports.local.j2"
-    dest: "/etc/fail2ban/action.d/firewallcmd-allports.local"
+    src: "firewallcmd-ipset-allports.conf.j2"
+    dest: "/etc/fail2ban/action.d/firewallcmd-ipset-allports.conf"
     owner: "root"
     group: "root"
     mode: '0644'
@@ -88,6 +88,17 @@
   notify:
     - Reload fail2ban jails
 
+- name: Install fail2ban ipset for firewalld
+  copy: src=fail2ban.xml dest=/etc/firewalld/ipsets/ owner=root group=root mode=0644
+  register: result
+
+- name: Restart firewalld
+  systemd: name=firewalld state=restarted
+  when: result.changed
+
+- name: Add fail2ban ipset to the firewalld drop zone
+  ansible.posix.firewalld: source=ipset:fail2ban zone=drop permanent=true immediate=true state=enabled
+
 - name: Start and enable service
   systemd:
     name: "fail2ban.service"

roles/fail2ban/templates/firewallcmd-allports.local.j2

-#
-# {{ansible_managed}}
-#
-
-# creates the requisite chains in firewalld when fail2ban starts instead
-# of creating them on first use (ie, when first IP is banned)
-[Definition]
-actionstart_on_demand = false

roles/fail2ban/templates/firewallcmd-ipset-allports.conf.j2

+#
+# {{ansible_managed}}
+#
+
+[Definition]
+
+actionban = firewall-cmd --ipset=fail2ban --add-entry=<ip>
+actionunban = firewall-cmd --ipset=fail2ban --remove-entry=<ip>

roles/fail2ban/templates/jail.local.j2

@@ -27,7 +27,7 @@ sender = fail2ban@{{ansible_fqdn}}
 #   fail2ban-client set unban <IP>
 #   fail2ban-client set unban --all
 # see `fail2ban-client help` for full list of runtime commands
-banaction = firewallcmd-allports
+banaction = firewallcmd-ipset-allports
 
 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 # will not ban a host which matches an address in this list. Several addresses

roles/gitlab_runner/files/domain_template.xml

 <domain type='kvm'>
   <name>$vm_name</name>
-  <memory unit='MiB'>1024</memory>
+  <memory unit='MiB'>2048</memory>
   <vcpu>4</vcpu>
   <os>
     <type arch='x86_64' machine='q35'>hvm</type>

roles/gitlab_runner/files/libvirt-executor-update-base-image

@@ -4,6 +4,8 @@ readonly libvirt_default_pool_path="/var/lib/libvirt/images"
 readonly arch_boxes_signing_key=/usr/local/lib/libvirt-executor/arch-boxes.asc
 readonly arch_boxes_fingerprint=1B9A16984A4E8CB448712D2AE0B78BF4326C6F8F
 
+loopdev=""
+
 cleanup() {
   set +o errexit
 
@@ -21,8 +23,8 @@ trap cleanup EXIT
 
 cd "${tmpdir}"
 curl -sSf --remote-name-all https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-basic.qcow2{,.sig}
-sq import "${arch_boxes_signing_key}"
-sq link add --all "${arch_boxes_fingerprint}"
+sq cert import "${arch_boxes_signing_key}"
+sq pki link add --all "${arch_boxes_fingerprint}"
 sq verify --signer-cert "${arch_boxes_fingerprint}" --detached Arch-Linux-x86_64-basic.qcow2.sig Arch-Linux-x86_64-basic.qcow2
 
 image=Arch-Linux-x86_64-basic.img

roles/gitlab_runner/templates/config.toml.j2

@@ -32,7 +32,7 @@ listen_address = ":9252"
   executor = "custom"
   builds_dir = "/builds"
   cache_dir = "/cache"
-  limit = {{ (ansible_memtotal_mb * 0.9 / 1024) | round | int }}
+  limit = {{ (ansible_memtotal_mb * 0.9 / 2048) | round | int }}
   environment = ["ARCHIVER_STAGING_DIR=/var/tmp"]
   [runners.custom]
     prepare_exec = "/usr/local/bin/libvirt-executor"

roles/gluebuddy/files/gluebuddy_download.sh

@@ -45,7 +45,7 @@ for uid in "${TRUSTED_UIDs[@]}"; do
 done
 
 for fp in "${TRUSTED_KEYS[@]}"; do
-	sq link add --all "${fp}"
+	sq pki link add --all "${fp}"
 done
 
 sq verify --signer-cert "${TRUSTED_KEYS[0]}" --detached ${NAME}.sig ${NAME} || \

roles/hedgedoc/tasks/main.yml

@@ -34,7 +34,7 @@
   template: src=hedgedoc.service.d.j2 dest=/etc/systemd/system/hedgedoc.service.d/local.conf owner=root group=root mode=0644
 
 - name: Install hedgedoc config file
-  template: src=config.json.j2 dest=/etc/webapps/hedgedoc/config.json owner=root group=root mode=0644
+  template: src=config.json.j2 dest=/etc/webapps/hedgedoc/config.json owner=root group=hedgedoc mode=0640
 
 - name: Start and enable hedgedoc
   service: name=hedgedoc.service enabled=yes state=started

roles/hedgedoc/templates/config.json.j2

@@ -35,6 +35,9 @@
             "host": "localhost",
             "port": "5432"
         },
-        "linkifyHeaderStyle": "gfm"
+        "linkifyHeaderStyle": "gfm",
+        "oauth2": {
+            "clientSecret": "{{ vault_hedgedoc_client_secret }}"
+        }
     }
 }

roles/hedgedoc/templates/hedgedoc.service.d.j2

@@ -6,7 +6,6 @@ Environment=CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
 Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/token
 Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/auth
 Environment=CMD_OAUTH2_CLIENT_ID=openid_hedgedoc
-Environment=CMD_OAUTH2_CLIENT_SECRET={{ vault_hedgedoc_client_secret }}
 Environment=CMD_OAUTH2_SCOPE="openid email profile roles"
 Environment=CMD_OAUTH2_ROLES_CLAIM=roles
 Environment=CMD_OAUTH2_ACCESS_ROLE=Staff

roles/matrix/tasks/main.yml

@@ -78,7 +78,7 @@
 - name: Install synapse
   pip:
     name:
-      - 'matrix-synapse[postgres,oidc,systemd,url-preview,redis,user-search]==1.99.0'
+      - 'matrix-synapse[postgres,oidc,systemd,url-preview,redis,user-search]==1.101.0'
     state: latest
     extra_args: '--upgrade-strategy=eager'
     virtualenv: /var/lib/synapse/venv

roles/prometheus_exporters/tasks/main.yml

@@ -58,7 +58,6 @@
     - hetzner-textcollector.sh
     - rebuilderd-textcollector.sh
     - rebuilderd-status-textcollector.py
-    - flyspray-textcollector.py
     - archive-textcollector.sh
     - repository-textcollector.sh
     - btrfs-textcollector.sh