infrastructure issueshttps://gitlab.archlinux.org/archlinux/infrastructure/-/issues2024-01-03T12:58:56Zhttps://gitlab.archlinux.org/archlinux/infrastructure/-/issues/533TU Rename2024-01-03T12:58:56ZRobin Candauantiz@archlinux.orgTU RenameHi,
In the continuity of the effort started in https://gitlab.archlinux.org/archlinux/tu-bylaws/-/merge_requests/6 and https://gitlab.archlinux.org/archlinux/aurweb/-/merge_requests/755 regarding the rename of TU to package maintainer, ...Hi,
In the continuity of the effort started in https://gitlab.archlinux.org/archlinux/tu-bylaws/-/merge_requests/6 and https://gitlab.archlinux.org/archlinux/aurweb/-/merge_requests/755 regarding the rename of TU to package maintainer, here's an issue to track the related task on the infrastructure side.
- [x] Rename TU in aurweb (https://gitlab.archlinux.org/archlinux/aurweb/-/merge_requests/755, https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/762)
- [x] Rename [the bylaws repo](https://gitlab.archlinux.org/archlinux/tu-bylaws) from "tu-bylaws" to "package-maintainer-bylaws" (by @klausenbusk)
- [x] Move the bylaw URL to https://package-maintainer-bylaws.aur.archlinux.org and make the former one (https://tu-bylaws.aur.archlinux.org) redirect to it for while (while waiting for every references of this link to be updated). Also update the bylaws repo description accordingly (new name + new url) (https://gitlab.archlinux.org/archlinux/infrastructure/-/commit/02960645de2eff27026c28be3e3372f0f4bbfa53)
- [x] Drop the [related nginx redirection](https://gitlab.archlinux.org/archlinux/infrastructure/-/blob/dbe6ceed770dc816b89d169124ef999db05cc789/roles/aurweb/templates/nginx.d.conf.j2#L53-54) (which is not so useful anymore) (https://gitlab.archlinux.org/archlinux/infrastructure/-/commit/722cc5bfae42c1a22ce35810e642a1deed2167e6)
- [x] Rename the archwiki group (https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/765)
- [ ] Rename the current TU ML from arch-tu@al.org to arch-package-maintainer@al.org and rename "trusted users" to "package maintainers" in the different [ML descriptions](https://gitlab.archlinux.org/archlinux/infrastructure/-/blob/master/roles/mailman/defaults/main.yml).
- [x] Make the https://archlinux.org/people/trusted-users/ and https://archlinux.org/people/trusted-user-fellows/ URLs redirect to https://archlinux.org/people/package-maintainers/ and https://archlinux.org/people/package-maintainer-fellows/ (while waiting for every references of this link to be updated) when deploying the new archweb release (see the [archweb pr](https://github.com/archlinux/archweb/pull/478)).
- [x] [Rename the TU group](https://github.com/archlinux/archweb/pull/478#pullrequestreview-1679487334) when deploying the new archweb release (see the [archweb pr](https://github.com/archlinux/archweb/pull/478)).
Feel free to add tasks if I missed some.
I remain available :smile:https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/532Migrate arch-install-scripts2023-09-18T18:17:00ZJelle van der WaaMigrate arch-install-scripts
# Procedure for adding an official project to GitLab
## Details
- **Project name**: arch-install-scripts
- **Type**: MIGRATION
- **Current location**: github.com/archlinux/arch-install-scripts
## New repo checklist
If you want to ad...
# Procedure for adding an official project to GitLab
## Details
- **Project name**: arch-install-scripts
- **Type**: MIGRATION
- **Current location**: github.com/archlinux/arch-install-scripts
## New repo checklist
If you want to add a new official project, here are some guidelines to follow:
1. [x] Evaluate whether the project can sit in the official [GitLab Arch Linux group](https://gitlab.archlinux.org/archlinux)
or whether it needs its own group. It only needs its own group if the primary
development group is somehow detached from Arch Linux and only losely related (for instance: [pacman](https://gitlab.archlinux.org/pacman))
1. [x] After project creation (use the GitLab import function if you migrate a repo), add the responsible people to the project
in the *Members* page (https://gitlab.archlinux.org/archlinux/my-example/-/project_members)
and give them the `Developer` role. The idea is to let these people mostly manage their own project while not giving them
enough permissions to be able to misconfigure the project.
1. [ ] If mirroring to github.com is desired, work through the **GitHub.com mirroring checklist**
below and then return to this one.
1. [ ] If the project needs a secure runner to build trusted artifacts, coordinate with
the rest of the DevOps team and if found to be reasonable, assign a secure runner
to a protected branch of the project.
1. [ ] If a secure runner is used, create an MR to make sure the project's `.gitlab-ci.yml` specifies
`tags: secure`.
1. [x] Make sure that the *Push Rules* in https://gitlab.archlinux.org/archlinux/arch-boxes/-/settings/repository
reflect these values:
- `Committer restriction`: `on`
- `Reject unsigned commits`: `on`
- `Do not allow users to remove tags with git push`: `on`
- `Check whether author is a gitlab user`: `on`
- `Prevent committing secrets to git`: `on`
- All of these should be activated by default as per group rules but it's good to check.
1. [x] The *Protected Branches* in https://gitlab.archlinux.org/archlinux/my-example/-/settings/repository should specify
`Allowed to merge` and `Allowed to push` as `Developers + Maintainers.`
1. [x] Disable unneeded project features under *Visibility, project features, permissions* (https://gitlab.archlinux.org/archlinux/my-example/edit)
Always:
- `Users can request access`: `off`
Often, but not always:
- Repository -> Container registry
- Repository -> Git Large File Storage (LFS)
- Repository -> Packages
- Analytics
- Requirements
- Security & Compliance
- Wiki
- Operations
## GitHub.com mirroring checklist
### GitLab side
1. [ ] If you want to mirror your repository "my-example" from gitlab.archlinux.org to the github.com/archlinux organization,
you should create an empty project for your project at github.com/archlinux/my-example or
if that's an existing repository, make sure that the current histories of the source and
target repository are exactly the same.
1. [ ] Go to https://gitlab.archlinux.org/archlinux/my-example/-/settings/repository and open
*Mirroring repositories*. Make sure it has these settings:
- `Git repository URL`: `ssh://git@github.com/archlinux/my-example.git`
- `Mirror direction`: `Push`
- `Authentication method`: `SSH public key`
- `Only mirror protected branches` : `off`
1. [ ] Click `Mirror repository`.
1. [ ] A new entry will pop up which has a button titled `Copy SSH public key`. Click that to copy the public key to your clipboard.
### GitHub side
1. [ ] Log in with your primary GitHub account.
1. [ ] Go to https://github.com/archlinux/my-example/settings/access and assign the `Admin` role to the GitHub account
`archlinux-github`.
1. [ ] Log in as the `archlinux-github` technical user. This is important as otherwise pushes won't be associated correctly.
1. [ ] Go to https://github.com/archlinux/my-example/settings/keys and add a new deploy key.
1. [ ] Name it "gitlab.archlinux.org" so we know where it's from.
1. [ ] Paste the public key you copied from GitLab earlier.
1. [ ] Check `Allow write access`.
1. [ ] Click `Add key`.
1. [ ] Verify the push mirror works by clicking the `Update now` button.
1. [ ] In the repository settings on GitHub's side you should disable a few things to clean up the project page:
- `GitHub Actions`
- `Wiki`
- `Issues`
- `Projects`
1. [ ] Go to https://github.com/archlinux/my-example/settings/hooks and add a new webhook
- `Payload URL`: `$(misc/get_key.py misc/vaults/vault_github.yml github_pull_closer_webhook_url)`
- `Content type`: `application/json`
- `Which events would you like to trigger this webhook?`
- `Let me select individual events.`: `Pull requests`
1. [x] In the GitHub description of the mirrored project, append " (read-only mirror)" so that people know it's a mirror.
1. [x] Disable `Packages` and `Environments` from being shown on the main page.
1. [ ] In the website field put the full url to the repository on our GitLab.
1. [ ] Go to https://github.com/archlinux/my-example/settings/access and remove the GitHub account `archlinux-github`
1. [ ] Go to https://github.com/orgs/archlinux/teams/read-only-mirrors/repositories and add the repository with `write` permissionhttps://gitlab.archlinux.org/archlinux/infrastructure/-/issues/531Split repos server to repos and archive2024-03-27T22:47:50ZLeonidas SpyropoulosSplit repos server to repos and archive# Split repos.archlinux.org to repos.archlinux.org and archive.archlinux.org
## Rationale
- The current repos.al.org server has 4x hdd setup in RAID10 to support both archive and repos. With the merge of extra and community the extra fo...# Split repos.archlinux.org to repos.archlinux.org and archive.archlinux.org
## Rationale
- The current repos.al.org server has 4x hdd setup in RAID10 to support both archive and repos. With the merge of extra and community the extra folder in /srv/pool has many files in there and when mirrors request to rsync from it it takes some seconds to generate the list to send before it starts syncing. During that period there's a high chance a new package to be updated resulting in rewrite of the db.ta.gz files which lead to deleting those from the mirrors (this is an edge case in POSIX which btrfs actually doesn't handle but not a bug). By splitting the server and moving the repos into a 2x SSD raid1 setup it will make it much faster to operate and less likely to trigger the bug. Better technical explanation in btrfs ML [1], [2]
- The second reason to split it is for seperation of concerns of current server for repos and archive.
## Considerations
- the move to the archive can happen async (every 5 mins) on a systemd timer which will rsync from the repos /srv/archive to the actual archive (addition only, not delete)
- every day a separate systemd timer will clean up old pkg files from /src/archive older than 24h
- mirrors which mirror archive need to include change their scripts to additionally mirror from the new server
- borg backups needs to be updated to handle new server
## Plan
- Trigger backup
- Create new repos server with 2x SSD raid1
- Mirror the current repos.al.org except archive
- Downtime for Package Maintainers for 2 hours to change the DNS (no change in dbscripts)
- Repurpose current repos.al.org to archive.al.org
- Deploy the two systemd timers/services to async copy and cleanup packages to archive in repos.al.org
- Deploy mirror archive scripts to rsync from archive.al.org
- Inform other mirrors who sync archive about the change
- Trigger backup
## Diagram
![repos-migration](/uploads/eb31abf30054661a5a940b72796f087f/repos-migration.png)
[1]: https://lore.kernel.org/linux-btrfs/00ed09b9-d60c-4605-b3b6-f4e79bf92fca@foutras.com/
[2]: https://lore.kernel.org/linux-btrfs/ZP8AWKMVYOY0mAwq@debian0.Home/#t
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9b378f6ad48chttps://gitlab.archlinux.org/archlinux/infrastructure/-/issues/520Leftovers from the Git Migration2023-11-16T16:49:25ZChristian HeuselLeftovers from the Git MigrationThis issue is created so that the leftover points are not lost in hedgedocs somewhere.
Points taken from:
- https://md.archlinux.org/kF4a9cx2Sqe5ESusZw85zg?both#leftover-todo%E2%80%99s-from-migration
- https://md.archlinux.org/utjjQ-bQTs...This issue is created so that the leftover points are not lost in hedgedocs somewhere.
Points taken from:
- https://md.archlinux.org/kF4a9cx2Sqe5ESusZw85zg?both#leftover-todo%E2%80%99s-from-migration
- https://md.archlinux.org/utjjQ-bQTsipIKntPrpf8g#3-post-rollout
@jelle wanted to have a look at the stuff that still needs doing. :rocket:
---
- [ ] Check package push rules: `ipxe` `wireless-regdb`
- [ ] repos.archlinux.org: drop tu group
- [ ] state repo: https://gitlab.archlinux.org/archlinux/packaging/state
- [ ] include README in the repository https://md.archlinux.org/QX8kjaPyTbWdaoaFgWE_-Q#
- [x] set the logo: https://mathphys.info/~chris/state_repo.png
- [x] remove the community package pool
- [x] drop community sources `/srv/ftp/sources/community`
- [x] Remove `/srv/repos/svn-{community,packages}`
- [x] Drop community-debug pools `/srv/ftp/community-debug`
- [x] Remove `/srv/svn`
- [x] check svntogit user and owner files and remove it
```
svn-packages:x:1080:1080::/home/svn-packages:/bin/bash
svn-community:x:1081:1081::/home/svn-community:/bin/bash
svntogit:x:1084:1084::/srv/svntogit:/sbin/nologin
```
- [x] Drop this after all packages sources have been updated /srv/ftp/other/community/
https://gitlab.archlinux.org/search?group_id=11323&scope=blobs&search=sources.archlinux.org%2Fother%2Fcommunity Create to do list.
To-Do https://archlinux.org/todo/move-sources-from-srvftpothercommunity-to-extra/
- [ ] Resolve broken symlinks
`find /srv/ftp -xtype l`
https://gitlab.archlinux.org/archlinux/infrastructure/-/work_items/484
- [x] check svntogit user and owner files and remove it
- [ ] asp:
- [x] drop to AUR
- [ ] archive https://github.com/archlinux/asphttps://gitlab.archlinux.org/archlinux/infrastructure/-/issues/517Allow all packagers access to [mutlilib]2023-07-23T10:37:21ZJelle van der WaaAllow all packagers access to [mutlilib]Agreed upon here: https://lists.archlinux.org/archives/list/arch-dev-public@lists.archlinux.org/thread/MWJ4CR32RFIIZJRJ5J72HOZVJLGM4WKF/
- [x] Roll out dbscripts changes https://gitlab.archlinux.org/archlinux/dbscripts/-/merge_requests/...Agreed upon here: https://lists.archlinux.org/archives/list/arch-dev-public@lists.archlinux.org/thread/MWJ4CR32RFIIZJRJ5J72HOZVJLGM4WKF/
- [x] Roll out dbscripts changes https://gitlab.archlinux.org/archlinux/dbscripts/-/merge_requests/40
- [x] Infra changes https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/723
- [ ] Drop multilib group from gemini
- [ ] Configure allowed_repos in Archweb @jellehttps://gitlab.archlinux.org/archlinux/infrastructure/-/issues/516uptimerobot seems broken2023-05-28T19:48:14ZLeonidas Spyropoulosuptimerobot seems brokenWe got no uptimerobot alerts for some time now.We got no uptimerobot alerts for some time now.https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/514createlinks runs with an error2023-05-20T14:18:31ZJelle van der Waacreatelinks runs with an errorAfter the extra/community merge `createlinks` now fails on this big package.
```
May 20 11:36:07 gemini.archlinux.org createlinks[1895389]: extra/x86_64: intel-oneapi-basekit-2023.1.0.46401-1
May 20 11:38:22 gemini.archlinux.org createl...After the extra/community merge `createlinks` now fails on this big package.
```
May 20 11:36:07 gemini.archlinux.org createlinks[1895389]: extra/x86_64: intel-oneapi-basekit-2023.1.0.46401-1
May 20 11:38:22 gemini.archlinux.org createlinks[2281454]: sort: write failed: 'standard output': No space left on device
May 20 11:38:22 gemini.archlinux.org createlinks[2281454]: sort: write error
```
Previously it worked:
```
May 16 00:07:02 gemini.archlinux.org createlinks[1562202]: community/x86_64: mupdf-tools-1.22.1-2
May 16 00:07:03 gemini.archlinux.org createlinks[1562202]: community/x86_64: dev86-0.16.21-7
May 16 00:07:03 gemini.archlinux.org createlinks[1562202]: community/x86_64: intel-oneapi-basekit-2023.1.0.46401-1
May 16 00:09:20 gemini.archlinux.org createlinks[1562202]: community/x86_64: intel-oneapi-compiler-dpcpp-cpp-runtime-2023.1.0-1
May 16 00:09:24 gemini.archlinux.org createlinks[1562202]: community/x86_64: intel-oneapi-compiler-dpcpp-cpp-runtime-libs-2023.1.0-1
May 16 00:09:24 gemini.archlinux.org createlinks[1562202]: community/x86_64: intel-oneapi-compiler-shared-2023.1.0-1
May 16 00:09:25 gemini.archlinux.org createlinks[1562202]: community/x86_64: intel-oneapi-compiler-shared-runtime-2023.1.0-1
May 16 00:09:28 gemini.archlinux.org createlinks[1562202]: community/x86_64: intel-oneapi-compiler-shared-runtime-libs-2023.1.0-1
May 16 00:09:29 gemini.archlinux.org createlinks[1562202]: community/x86_64: intel-oneapi-dev-utilities-2021.9.0_44447-2
May 16 00:09:29 gemini.archlinux.org createlinks[1562202]: community/x86_64: intel-oneapi-dpcpp-debugger-2023.1.0_43513-1
May 16 00:09:40 gemini.archlinux.org createlinks[1562202]: community/x86_64: intel-oneapi-mkl-2023.1.0_46342-1
May 16 00:09:55 gemini.archlinux.org createlinks[1562202]: community/x86_64: intel-oneapi-openmp-2023.1.0-1
May 16 00:09:55 gemini.archlinux.org createlinks[1562202]: community/x86_64: intel-oneapi-tbb-2021.9.0-1
May 16 00:09:56 gemini.archlinux.org createlinks[1562202]: community/x86_64: libdwarf-1:0.6.0-2
May 16 00:09:56 gemini.archlinux.org createlinks[1562202]: community/x86_64: coin-or-lemon-1.3.1-4
```https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/512GitLab Sourcegraph integration2023-05-20T19:58:42ZLevente Polyakanthraxx@archlinux.orgGitLab Sourcegraph integrationWe'd like to have search across all our packages and all our GitLab projects (GitLab advanced search is tracked in #159). One of the more advanced options out there would be sourcegraph which provides both, a free basic community version...We'd like to have search across all our packages and all our GitLab projects (GitLab advanced search is tracked in #159). One of the more advanced options out there would be sourcegraph which provides both, a free basic community version as well as an advanced enterprise version.
- example search: https://sourcegraph.com/search
- Tour: https://docs.sourcegraph.com/getting-started/tour
sourcegraph.com [Features](https://docs.sourcegraph.com/code_search/explanations/features):
- Use regular expressions and exact queries to perform full-text searches.
- Perform language-aware structural search on code structure.
- Search any branch and commit, with no indexing required.
- Search commit diffs and commit messages to see how code has changed.
- Narrow your search by repository and file pattern.
- Smart Search query assistant.
- Use search contexts to search across a set of repositories at specific revisions.
- Curate saved searches for yourself or your org.
- Use code monitoring to set up notifications for code changes that match a query.
- View language statistics for search results.
Tasks
- [ ] investigate into sourcegraph and its setup plus peak into the enterprise features.
- [ ] If we are happy about that solution, the PL should reach out to sourcegraph and try to secure some sponsoring.
- https://about.sourcegraph.com/pricinghttps://gitlab.archlinux.org/archlinux/infrastructure/-/issues/507Enable nested virtualization for the VM runners2023-04-12T14:15:47ZKristian KlausenEnable nested virtualization for the VM runnersFor faster performance when testing VMs with QEMU it could be beneficial to enable nested virtualization for the VM runners.
At the time of writing the following projects have a use case for this:
- arch-boxes (for testing the built ima...For faster performance when testing VMs with QEMU it could be beneficial to enable nested virtualization for the VM runners.
At the time of writing the following projects have a use case for this:
- arch-boxes (for testing the built images and testing with VirtualBox in the future)
- archiso (perhaps for testing the ISOs in the future)
- mkinitcpio (perhaps for testing mkinitcpio in the future)
- infrastructure (@dvzrv is working on some Ansible Molecule stuff where VMs could be useful)
Some concerns have been raised earlier about the safety of this, so let's discuss it :)https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/506Assign keycloak packager group to devs/tus2023-05-25T15:50:22ZLevente Polyakanthraxx@archlinux.orgAssign keycloak packager group to devs/tusWe need to:
- [ ] extend the onboarding/offboarding templates to add/remove keycloak packager group
- [x] assign all devs to the "Core Package Maintainers" keycloak group
- [x] assign all TUs to the "Package Maintainers" keycloak groupWe need to:
- [ ] extend the onboarding/offboarding templates to add/remove keycloak packager group
- [x] assign all devs to the "Core Package Maintainers" keycloak group
- [x] assign all TUs to the "Package Maintainers" keycloak groupLeonidas SpyropoulosLeonidas Spyropouloshttps://gitlab.archlinux.org/archlinux/infrastructure/-/issues/504Setup crates.io account for Arch Linux organization2023-10-02T04:36:51ZLevente Polyakanthraxx@archlinux.orgSetup crates.io account for Arch Linux organizationWe want to be the owner of some crates on crates.io, hence setup an account for Arch Linux organization and store access tokens in the vault.
Crates:
- [ ] alpm, alpm-sys and almp-utils
- [x] alpm-types (https://gitlab.archlinux.org/arc...We want to be the owner of some crates on crates.io, hence setup an account for Arch Linux organization and store access tokens in the vault.
Crates:
- [ ] alpm, alpm-sys and almp-utils
- [x] alpm-types (https://gitlab.archlinux.org/archlinux/alpm/alpm-types/-/merge_requests/26)
- [ ] arch-audit
- [x] arch-repro-status (https://gitlab.archlinux.org/archlinux/arch-repro-status/-/commit/b0df09edb9b660813c0e1be31bed19cdc60e407e)Levente Polyakanthraxx@archlinux.orgLevente Polyakanthraxx@archlinux.orghttps://gitlab.archlinux.org/archlinux/infrastructure/-/issues/502Spam Filter2023-03-25T21:32:59ZEric WallerSpam FilterIs there any chance to get a spam filter for the github projects? I am sick of wading through things like this
https://gitlab.archlinux.org/archlinux/service-desks/forum/-/issues/779Is there any chance to get a spam filter for the github projects? I am sick of wading through things like this
https://gitlab.archlinux.org/archlinux/service-desks/forum/-/issues/779https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/497Improve syncrepo-template.sh to allow rsync for lastupdate check2023-03-04T17:11:04ZAnton Hvornumtorxed@archlinux.orgImprove syncrepo-template.sh to allow rsync for lastupdate checkAs suggested in https://bugs.archlinux.org/task/71617.
I'm transferring the suggestion here as it's more relevant to keep track of the code changes via GitLab issues.
It also allows tagging the change to a recorded issue here.
https://...As suggested in https://bugs.archlinux.org/task/71617.
I'm transferring the suggestion here as it's more relevant to keep track of the code changes via GitLab issues.
It also allows tagging the change to a recorded issue here.
https://gitlab.archlinux.org/archlinux/infrastructure/-/blob/master/roles/syncrepo/files/syncrepo-template.sh currently requires a http/https URL to enable lastupdate awareness.
Nikke suggests to enhance the script to allow using rsync to check lastupdate freshness.
With a reasonably modern rsync, this is IMHO easiest done with something similar to:
```bash
needupd="$(rsync -n -R -t --no-motd --out-format='%n' --timeout=60 rsync://source.site/lastupdate /destination/dir/)"
if [ $? = 0 -a -z "$needupd" ]; then
echo "Up 2 date, only rsync lastsync"
else
echo "Need update, do full rsync"
fi
```
Granted, it doesn't do the full compare of the lastupdate content, but it's good enough as a freshness check in the general use case.
With this addition, the script would work out of the box by only supplying it with an rsync URL making setup easier for mirror admins, and removes the requirement that the master site provides lastupdate via http/https. While the latter might not be stricly needed as the Arch Linux master provides it via http(s), it might help lastupdate/lastsync adoption by other projects which would be a Good Thing for us mirror admins.https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/484Decommission svn2git jobs, checkouts and github repository2022-11-20T02:38:09ZLevente Polyakanthraxx@archlinux.orgDecommission svn2git jobs, checkouts and github repositoryhttps://gitlab.archlinux.org/archlinux/infrastructure/-/issues/476Allow users to delete their own Keycloak account2023-02-06T22:47:35ZJelle van der WaaAllow users to delete their own Keycloak accountAs the GDPR tells us a user should be able to delete their own account, we should allow this in keycloak. See the keyclaok docs:
https://www.keycloak.org/docs/latest/server_admin/#proc-allow-user-to-delete-account_server_administration_...As the GDPR tells us a user should be able to delete their own account, we should allow this in keycloak. See the keyclaok docs:
https://www.keycloak.org/docs/latest/server_admin/#proc-allow-user-to-delete-account_server_administration_guidehttps://gitlab.archlinux.org/archlinux/infrastructure/-/issues/473Create dedicated keycloak/GitLab user for gluebuddy2022-10-24T21:58:52ZLevente Polyakanthraxx@archlinux.orgCreate dedicated keycloak/GitLab user for gluebuddyWe should follow principle of least privilege and single purpose service accounts. Which means we should create a dedciated user `gluebuddy` for keycloak/GitLab instead of reuse the GitLab token of `arch-packaging-bot`.
In case any token...We should follow principle of least privilege and single purpose service accounts. Which means we should create a dedciated user `gluebuddy` for keycloak/GitLab instead of reuse the GitLab token of `arch-packaging-bot`.
In case any token/credentials get leaked anywhere, this would make it tremendously easier for incident response analysis to understand where its coming from compared to one service account's token being used all around the places.Levente Polyakanthraxx@archlinux.orgLevente Polyakanthraxx@archlinux.orghttps://gitlab.archlinux.org/archlinux/infrastructure/-/issues/450Use Loki's recording rules to create fancy graphs for the mirros2022-04-18T20:02:27ZKristian KlausenUse Loki's recording rules to create fancy graphs for the mirroshttps://grafana.com/docs/loki/latest/rules/#recording-rules
Recording rules can be used to "parse" the nginx access logs for the mirror and create fancy graphs. Ex: number of packages downloaded split by repository (core, extra and comm...https://grafana.com/docs/loki/latest/rules/#recording-rules
Recording rules can be used to "parse" the nginx access logs for the mirror and create fancy graphs. Ex: number of packages downloaded split by repository (core, extra and community), traffic ratio for the mirrors backing our geo mirror etc..https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/417Update access to (password protected) staff-only channels via ansible2021-11-13T12:31:11ZDavid RungeUpdate access to (password protected) staff-only channels via ansibleThe current way of dealing with access to staff-only channels on libera.chat is very static (i.e. password protected channels).
It would be beneficial to add and revoke access for these channels based on an "infrastructure as code" appr...The current way of dealing with access to staff-only channels on libera.chat is very static (i.e. password protected channels).
It would be beneficial to add and revoke access for these channels based on an "infrastructure as code" approach, so that this may be updated in the regular onboarding/offboarding workflow, as well as "on demand" (e.g. additional nicks, changes in nicks, etc.).
The upside to this is to have one place where staff users may be added/ add themselves to a channel based on a simple merge request and not requiring a password protection anymore. Changes to per channel files could be auto-assigned to the specific founders or members of a given channel for acknowledgement.https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/412Migrate forwards in postfix/users to Sieve2023-01-21T08:06:35ZKristian KlausenMigrate forwards in postfix/users to SieveWe have some staff acc on mail.archlinux.org using `/etc/postfix/users` for forwarding mails to their personal mail address.
Long-term we want to Ansible the `users` file so they can't stay there and staff can't change the forwarding.
...We have some staff acc on mail.archlinux.org using `/etc/postfix/users` for forwarding mails to their personal mail address.
Long-term we want to Ansible the `users` file so they can't stay there and staff can't change the forwarding.
Using Sieve would also solve the issue of probably-spam getting forwarded and affecting our mail reputation.https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/404Ansible /etc/postfix/users on mail.archlinux.org2021-10-24T14:52:24ZKristian KlausenAnsible /etc/postfix/users on mail.archlinux.orgAll the mailboxes are currently managed manually on mail.al.org, we should manage them with Ansible.All the mailboxes are currently managed manually on mail.al.org, we should manage them with Ansible.