roles/dbscripts/files/sudoers.d

-%dev ALL=(svn-packages) NOPASSWD:/usr/bin/svnserve
-%dev ALL=(svn-packages) NOPASSWD:/usr/bin/svn
-#%dev ALL=(svn-community) NOPASSWD:/usr/bin/svnserve
-%tu ALL=(svn-community) NOPASSWD:/usr/bin/svnserve
-%tu ALL=(svn-community) NOPASSWD:/usr/bin/svn
-
 %dev ALL = (archive) NOPASSWD: /packages/db-archive
-%tu  ALL = (archive) NOPASSWD: /community/db-archive
+%junior-dev ALL = (archive) NOPASSWD: /packages/db-archive
+%packager ALL = (archive) NOPASSWD: /packages/db-archive
+%junior-packager ALL = (archive) NOPASSWD: /packages/db-archive
 
 sourceballs ALL=(svn-community) NOPASSWD:/usr/bin/svn
 sourceballs ALL=(svn-packages) NOPASSWD:/usr/bin/svn

roles/dbscripts/files/update-repos.sh

-#!/bin/bash -eC
-
-REPO_HOME=/srv/svntogit/repos
-REPOS=(packages community)
-REMOTE=public
-LOCKFILE="$0.lock"
-
-update_pkg() {
-	local pkg=$1
-
-	if git show master:$pkg &>/dev/null; then
-		if ! git show-ref -q --verify refs/heads/packages/$pkg; then
-			# Added package; create package branch
-			git branch packages/$pkg master
-			git filter-branch -f --subdirectory-filter $pkg packages/$pkg \
-				>/dev/null
-		else
-			# Updated package; apply changes to package branch
-			git checkout -q packages/$pkg
-			git format-patch -k --stdout last-commit-processed..master -- $pkg |
-				git am -k -p2 --keep-cr --committer-date-is-author-date \
-					&>/dev/null
-		fi
-	else
-		# Deleted package; destroy the branch and stop processing this package
-		git branch -D packages/$pkg &>/dev/null || true
-		git push -q --delete $REMOTE packages/$pkg &>/dev/null || true
-		return 0
-	fi
-}
-
-# Rather simple locking mechanism
-echo $$ >"$LOCKFILE"
-
-for repo in ${REPOS[@]}; do
-	echo "==> Updating '$repo' Git repository on $(date -u)"
-
-	pushd "$REPO_HOME/$repo" >/dev/null
-
-	# Make sure we have a last-commit-processed tag to work from
-	if ! git show-ref -q --verify refs/tags/last-commit-processed; then
-		echo "==> ERR: Couldn't update '$repo' Git repository;" \
-			"missing last-commit-processed tag" >&2
-		# Skip to the next repo
-		continue
-	fi
-
-	# Make sure we're on the master branch
-	git checkout -q master
-
-	echo '  -> Fetching changes from SVN'
-	if ! git svn rebase &>/dev/null; then
-		echo '    > git svn rebase command failed; skipping to next repository'
-		echo "==> Aborted updating '$repo' on $(date -u)"
-		echo
-		popd >/dev/null
-		continue
-	fi
-
-	echo '  -> Updating package branches'
-	pkgs=($(git diff --name-only --no-renames last-commit-processed |
-		cut -d'/' -f1 | uniq))
-	pkg_count=${#pkgs[@]}
-
-	if ((pkg_count)); then
-		# Update each package branch
-		for pkg in ${pkgs[@]}; do
-			echo "    > Updating package branch for '$pkg'"
-			update_pkg $pkg
-		done
-
-		# Return to the master branch
-		git checkout -q master
-
-		echo "  -> Updated $pkg_count package branches"
-
-		echo '  -> Updating public Git repository'
-		if ! git push -q --all $REMOTE &>/dev/null; then
-			echo '    > git push command failed'
-		fi
-	else
-		echo '    > No updates found'
-	fi
-
-	echo '  -> Tagging last commit processed'
-	git tag -f last-commit-processed >/dev/null
-
-	popd >/dev/null
-
-	echo "==> Finished updating '$repo' on $(date -u)"
-	echo
-done
-
-# Remove lock
-rm "$LOCKFILE"
-
-# vim:set ts=4 sw=4 noet:

roles/dbscripts/tasks/main.yml

-- name: Install svn, git, rsync and some perl stuff
-  pacman: name=git,subversion,rsync,perl-dbd-pg,perl-timedate,diffstat state=present
+- name: Install git, rsync and some perl stuff
+  pacman: name=git,rsync,perl-dbd-pg,perl-timedate,diffstat state=present
 
 - name: Install sourceballs requirements (makepkg download dependencies)
   pacman: name=git,subversion,mercurial,breezy state=present
@@ -7,14 +7,22 @@
 - name: Install binutils for createlinks script
   pacman: name=binutils state=present
 
+- name: Install fcgiwrap for the Git repo
+  pacman: name=fcgiwrap state=present
+
+- name: Install fcgiwrap for the Git repo
+  systemd: name=fcgiwrap.socket enabled=yes state=started
+
+- name: Allow state repo to be exported
+  file: path="/srv/repos/state/.git/git-daemon-export-ok" state=touch owner=git-packages group=junior-packager mode=0644
+
 - name: Create dbscripts users
   user: name="{{ item }}" shell=/bin/bash
   with_items:
-    - svn-packages
-    - svn-community
+    - git-packages
 
 - name: Add cleanup user
-  user: name=cleanup groups=tu,dev,multilib shell=/sbin/nologin
+  user: name=cleanup groups=junior-dev,dev,junior-packager,packager,multilib shell=/sbin/nologin
 
 - name: Add sourceballs user
   user: name=sourceballs shell=/sbin/nologin
@@ -47,29 +55,20 @@
     state: present
   with_dict: "{{ arch_users }}"
 
-- name: Create .ssh directory
-  file: path=/home/svn-packages/.ssh state=directory owner=svn-packages group=svn-packages mode=0700
-
-- name: Configure ssh keys for devs
-  template: src=authorized_keys-group.j2 dest=/home/svn-packages/.ssh/authorized_keys owner=svn-packages group=svn-packages mode=600
-  vars:
-    pubkey_groups: ['dev']
-  tags: ['archusers']
-
-- name: Create .ssh directory
-  file: path=/home/svn-community/.ssh state=directory owner=svn-community group=svn-community mode=0700
+- name: Create /etc/dbscripts directory
+  file: path=/etc/dbscripts state=directory owner=root group=root mode=0755
 
-- name: Configure ssh keys for TUs
-  template: src=authorized_keys-group.j2 dest=/home/svn-community/.ssh/authorized_keys owner=svn-community group=svn-community mode=600
+- name: Generate dbscripts authors mapping
+  template: src=authors.conf.j2 dest=/etc/dbscripts/authors.conf owner=root group=root mode=644
   vars:
-    pubkey_groups: ['tu']
+    packager_groups: ['packager', 'junior-packager', 'dev', 'junior-dev']
   tags: ['archusers']
 
 - name: Create staging directories in user homes
   dbscripts_mkdirs:
     pathtmpl: '/home/{user}/staging/{dirname}'
     permissions: '755'
-    directories: ['', 'core', 'extra', 'testing', 'staging', 'community', 'community-staging', 'community-testing', 'multilib', 'multilib-staging', 'multilib-testing']
+    directories: ['', 'core', 'extra', 'multilib', 'multilib-staging', 'multilib-testing', 'core-testing', 'core-staging', 'extra-testing', 'extra-staging']
     users: "{{ arch_users.keys() | list }}"
     group: users
   tags: ["archusers"]
@@ -77,77 +76,64 @@
 - name: Create dbscripts paths
   file: path="{{ item }}" state=directory owner=root group=root mode=0755
   with_items:
-    - /srv/repos/svn-community
-    - /srv/repos/svn-packages
-
-- name: Create svn-community/package-cleanup directory
-  file: path="/srv/repos/svn-community/package-cleanup" state=directory owner=svn-community group=tu mode=0775
-- name: Add acl user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
-  acl: name=/srv/repos/svn-community/package-cleanup entry="user:cleanup:rwx" state=present
-- name: Add acl default:user::rwx to /srv/repos/svn-community/package-cleanup
-  acl: name=/srv/repos/svn-community/package-cleanup entry="default:user::rwx" state=present
-- name: Add acl default:user:cleanup:rwx to /srv/repos/svn-community/package-cleanup
-  acl: name=/srv/repos/svn-community/package-cleanup entry="default:user:cleanup:rwx" state=present
-- name: Add acl default:group::rwx to /srv/repos/svn-community/package-cleanup
-  acl: name=/srv/repos/svn-community/package-cleanup entry="default:group::rwx" state=present
-- name: Add acl default:other::r-x to /srv/repos/svn-community/package-cleanup
-  acl: name=/srv/repos/svn-community/package-cleanup entry="default:other::r-x" state=present
-
-- name: Create svn-packages/package-cleanup directory
-  file: path="/srv/repos/svn-packages/package-cleanup" state=directory owner=svn-packages group=dev mode=0775
-- name: Add acl user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
-  acl: name=/srv/repos/svn-packages/package-cleanup entry="user:cleanup:rwx" state=present
-- name: Add acl default:user::rwx to /srv/repos/svn-packages/package-cleanup
-  acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user::rwx" state=present
-- name: Add acl default:user:cleanup:rwx to /srv/repos/svn-packages/package-cleanup
-  acl: name=/srv/repos/svn-packages/package-cleanup entry="default:user:cleanup:rwx" state=present
-- name: Add acl default:group::rwx to /srv/repos/svn-packages/package-cleanup
-  acl: name=/srv/repos/svn-packages/package-cleanup entry="default:group::rwx" state=present
-- name: Add acl default:other::r-x to /srv/repos/svn-packages/package-cleanup
-  acl: name=/srv/repos/svn-packages/package-cleanup entry="default:other::r-x" state=present
-
-- name: Create svn-community/source-cleanup directory
-  file: path="/srv/repos/svn-community/source-cleanup" state=directory owner=sourceballs group=svn-community mode=0755
-- name: Create svn-packages/source-cleanup directory
-  file: path="/srv/repos/svn-packages/source-cleanup" state=directory owner=sourceballs group=svn-packages mode=0755
-
-- name: Create svn-community/svn directory
-  file: path="/srv/repos/svn-community/svn" state=directory owner=svn-community group=svn-community mode=0755
-- name: Add acl default:user::rwx to /srv/repos/svn-community/svn
-  acl: name=/srv/repos/svn-community/svn entry="default:user::rwx" state=present
-- name: Add acl default:group::r-x to /srv/repos/svn-community/svn
-  acl: name=/srv/repos/svn-community/svn entry="default:group::r-x" state=present
-- name: Add acl default:other::r-x to /srv/repos/svn-community/svn
-  acl: name=/srv/repos/svn-community/svn entry="default:other::r-x" state=present
-
-- name: Create svn-packages/svn directory
-  file: path="/srv/repos/svn-packages/svn" state=directory owner=svn-packages group=svn-packages mode=0755
-- name: Add acl default:user::rwx to /srv/repos/svn-packages/svn
-  acl: name=/srv/repos/svn-packages/svn entry="default:user::rwx" state=present
-- name: Add acl default:group::r-x to /srv/repos/svn-packages/svn
-  acl: name=/srv/repos/svn-packages/svn entry="default:group::r-x" state=present
-- name: Add acl default:other::r-x to /srv/repos/svn-packages/svn
-  acl: name=/srv/repos/svn-packages/svn entry="default:other::r-x" state=present
-
-- name: Create svn-community/tmp directory
-  file: path="/srv/repos/svn-community/tmp" state=directory owner=svn-community group=tu mode=1775
-- name: Add acl user:sourceballs:rwx to /srv/repos/svn-community/tmp
-  acl: name=/srv/repos/svn-community/tmp entry="user:sourceballs:rwx" state=present
-
-- name: Create svn-packages/tmp directory
-  file: path="/srv/repos/svn-packages/tmp" state=directory owner=svn-packages group=dev mode=1775
-- name: Add acl user:sourceballs:rwx to /srv/repos/svn-packages/tmp
-  acl: name=/srv/repos/svn-packages/tmp entry="user:sourceballs:rwx" state=present
+    - /srv/repos/git-packages
+
+- name: Create git-packages/package-cleanup directory
+  file: path="/srv/repos/git-packages/package-cleanup" state=directory owner=git-packages group=junior-packager mode=0775
+- name: Add acl user:cleanup:rwx to /srv/repos/git-packages/package-cleanup
+  acl: name=/srv/repos/git-packages/package-cleanup entry="user:cleanup:rwx" state=present
+- name: Add acl default:user::rwx to /srv/repos/git-packages/package-cleanup
+  acl: name=/srv/repos/git-packages/package-cleanup entry="default:user::rwx" state=present
+- name: Add acl default:user:cleanup:rwx to /srv/repos/git-packages/package-cleanup
+  acl: name=/srv/repos/git-packages/package-cleanup entry="default:user:cleanup:rwx" state=present
+- name: Add acl default:group::rwx to /srv/repos/git-packages/package-cleanup
+  acl: name=/srv/repos/git-packages/package-cleanup entry="default:group::rwx" state=present
+- name: Add acl default:other::r-x to /srv/repos/git-packages/package-cleanup
+  acl: name=/srv/repos/git-packages/package-cleanup entry="default:other::r-x" state=present
+
+- name: Create git-packages/source-cleanup directory
+  file: path="/srv/repos/git-packages/source-cleanup" state=directory owner=sourceballs group=git-packages mode=0755
+
+- name: Add acl default:junior-packager::rwx to /srv/repos/state
+  acl: name=/srv/repos/git-packages/package-cleanup entry="default:group:junior-packager:rwx" state=present
+
+- name: Create pkg cache directory
+  file: path="{{ git_pkg_cache }}" state=directory owner=git-packages group=junior-packager mode=0775
+
+- name: Create state directory
+  file: path="{{ git_state_repo }}" state=directory owner=git-packages group=junior-packager mode=0775
+
+- name: Set permissions for state directory
+  file: path="{{ git_state_repo }}" state=directory owner=git-packages group=junior-packager mode=0775
+- name: Add acl default:group:junior-packager:rw- to git_state_repo
+  acl: name="{{ git_state_repo }}" entry="default:group:junior-packager:rw-" state=present
+
+- name: Git init repository  # noqa command-instead-of-module
+  command: /usr/bin/git init --shared=group "{{ git_state_repo }}"
+  args:
+    creates: "{{ git_state_repo }}/.git/config"
+
+- name: Create git-packages/tmp directory
+  file: path="/srv/repos/git-packages/tmp" state=directory owner=git-packages group=junior-packager mode=1775
+- name: Add acl user:sourceballs:rwx to /srv/repos/git-packages/tmp
+  acl: name=/srv/repos/git-packages/tmp entry="user:sourceballs:rwx" state=present
+- name: Add acl user:cleanup:rwx to /srv/repos/git-packages/tmp
+  acl: name=/srv/repos/git-packages/tmp entry="user:cleanup:rwx" state=present
 
 - name: Touch /srv/ftp/lastsync file
   file: path="/srv/ftp/lastsync" state=touch owner=ftp group=ftp mode=0644
 
 - name: Touch /srv/ftp/lastupdate file
   file: path="/srv/ftp/lastupdate" state=touch owner=ftp group=ftp mode=0644
-- name: Add acl group:tu:rw- to /srv/ftp/lastupdate
-  acl: name=/srv/ftp/lastupdate entry="group:tu:rw-" state=present
+
+- name: Add acl group:dev:rw- to /srv/ftp/lastupdate
+  acl: name=/srv/ftp/lastupdate entry="group:packager:rw-" state=present
+- name: Add acl group:dev:rw- to /srv/ftp/lastupdate
+  acl: name=/srv/ftp/lastupdate entry="group:junior-packager:rw-" state=present
 - name: Add acl group:dev:rw- to /srv/ftp/lastupdate
   acl: name=/srv/ftp/lastupdate entry="group:dev:rw-" state=present
+- name: Add acl group:dev:rw- to /srv/ftp/lastupdate
+  acl: name=/srv/ftp/lastupdate entry="group:junior-dev:rw-" state=present
 
 - name: Fetch dbscripts PGP key
   command: /usr/bin/gpg --keyserver keys.openpgp.org --auto-key-locate wkd,keyserver --locate-keys {{ item }}
@@ -157,50 +143,83 @@
 
 - name: Clone dbscripts git repo
   git: >
-    dest=/srv/repos/{{ item }}/dbscripts
+    dest=/srv/repos/git-packages/dbscripts
     repo=https://gitlab.archlinux.org/archlinux/dbscripts.git
     version={{ dbscripts_commit }} update={{ dbscripts_update }}
     verify_commit=yes
+
+- name: Symlink config file
+  file: path=/srv/repos/git-packages/dbscripts/config.local src=config.local.git state=link owner=root group=root mode=0644
+
+- name: Symlink /packages to /srv/repos/git-packages/dbscripts
+  file: path=/packages src=/srv/repos/git-packages/dbscripts state=link owner=root group=root mode=0755
+
+- name: Symlink dbscript binaries to /usr/local/bin
+  file: path=/usr/local/bin/{{ item }} src=/packages/{{ item }} state=link owner=root group=root mode=0755
   with_items:
-    - svn-community
-    - svn-packages
+    - db-move
+    - db-update
+    - db-remove
+    - db-repo-add
+    - db-repo-remove
+    - testing2x
 
-- name: Make /srv/svn
-  file: path=/srv/svn state=directory owner=root group=root mode=0755
+- name: Make debug packages pool
+  file: path=/srv/ftp/pool/packages state=directory owner=root group=junior-packager mode=0775
 
-- name: Symlink /srv/svn/community to /srv/repos/svn-community/svn
-  file: path=/srv/svn/community src=/srv/repos/svn-community/svn state=link owner=root group=root mode=0755
+- name: Make debug packages-debug pool
+  file: path=/srv/ftp/pool/packages-debug state=directory owner=root group=junior-packager mode=0775
 
-- name: Symlink /srv/svn/packages to /srv/repos/svn-packages/svn
-  file: path=/srv/svn/packages src=/srv/repos/svn-packages/svn state=link owner=root group=root mode=0755
+- name: Make junior developer root repos
+  file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755
+  with_items: '{{ junior_developer_repos }}'
 
-- name: Symlink /community to /srv/repos/svn-community/dbscripts
-  file: path=/community src=/srv/repos/svn-community/dbscripts state=link owner=root group=root mode=0755
+- name: Make junior developer repos
+  file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=junior-dev mode=0775
+  with_items: '{{ junior_developer_repos }}'
 
-- name: Symlink /packages to /srv/repos/svn-packages/dbscripts
-  file: path=/packages src=/srv/repos/svn-packages/dbscripts state=link owner=root group=root mode=0755
+- name: Make developer root repos
+  file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755
+  with_items: '{{ developer_repos }}'
 
-- name: Make debug packages-debug pool
-  file: path=/srv/ftp/pool/packages-debug state=directory owner=root group=dev mode=0775
+- name: Make developer repos
+  file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=dev mode=0775
+  with_items: '{{ developer_repos }}'
+
+- name: Make junior packager root repos
+  file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755
+  with_items: '{{ junior_packager_repos }}'
 
-- name: Make debug community-debug pool
-  file: path=/srv/ftp/pool/community-debug state=directory owner=root group=tu mode=2775
+- name: Make junior packager repos
+  file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=junior-packager mode=0775
+  with_items: '{{ junior_packager_repos }}'
 
-- name: Make package root debug repos
+- name: Make packager root repos
   file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755
-  with_items: '{{ package_repos }}'
+  with_items: '{{ packager_repos }}'
 
-- name: Make community root debug repos
-  file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=00755
-  with_items: '{{ community_repos }}'
+- name: Make packager repos
+  file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=packager mode=0775
+  with_items: '{{ packager_repos }}'
 
-- name: Make package debug repos
-  file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=dev mode=0775
-  with_items: '{{ package_repos }}'
+- name: Make junior multilib root repos
+  file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755
+  with_items: '{{ junior_multilib_repos }}'
 
-- name: Make community debug repos
-  file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=tu mode=0775
-  with_items: '{{ community_repos }}'
+- name: Make junior multilib repos
+  file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=junior-packager mode=0775
+  with_items: '{{ junior_multilib_repos }}'
+
+- name: Make multilib root repos
+  file: path=/srv/ftp/{{ item }}/os state=directory owner=root group=root mode=0755
+  with_items: '{{ multilib_repos }}'
+
+- name: Make multilib repos
+  file: path=/srv/ftp/{{ item }}/os/x86_64 state=directory owner=root group=packager mode=0775
+  with_items: '{{ multilib_repos }}'
+
+- name: Make /srv/ftp/other/packages available
+  file: path=/srv/ftp/other/packages state=directory owner=root group=junior-dev mode=0775
 
 - name: Put rsyncd.conf into tmpfiles
   copy: src=rsyncd-tmpfiles.d dest=/etc/tmpfiles.d/rsyncd.conf owner=root group=root mode=0644
@@ -225,73 +244,6 @@
   register: gen_rsyncd
   changed_when: "gen_rsyncd.rc == 0"
 
-- name: Install svnlog
-  copy: src=svnlog dest=/usr/local/bin/svnlog owner=root group=root mode=0755
-
-- name: Add arch-svntogit user
-  user: name=svntogit shell=/sbin/nologin home=/srv/svntogit generate_ssh_key=yes ssh_key_bits=4096
-
-- name: Configure svntogit git user name  # noqa command-instead-of-module
-  command: git config --global user.name svntogit
-  become: true
-  become_user: svntogit
-  register: git_config_username
-  changed_when: "git_config_username.rc == 0"
-
-- name: Configure svntogit git user email  # noqa command-instead-of-module
-  command: git config --global user.email svntogit@repos.archlinux.org
-  become: true
-  become_user: svntogit
-  register: git_config_email
-  changed_when: "git_config_email.rc == 0"
-
-- name: Template arch-svntogit
-  copy: src=update-repos.sh dest=/srv/svntogit/update-repos.sh owner=root group=root mode=0755
-
-- name: Create svntogit repos subdir
-  file: path="/srv/svntogit/repos" state=directory owner=svntogit group=svntogit mode=0775
-
-- name: Clone git-svn repos  # noqa command-instead-of-module
-  command: git svn clone file:///srv/repos/svn-{{ item }}/svn /srv/svntogit/repos/{{ item }} creates=/srv/svntogit/repos/{{ item }}
-  with_items:
-    - community
-    - packages
-  become: true
-  become_user: svntogit
-
-- name: Add svntogit public remotes  # noqa command-instead-of-module
-  command: git remote add public git@github.com:archlinux/svntogit-{{ item }}.git chdir=/srv/svntogit/repos/{{ item }}
-  with_items:
-    - community
-    - packages
-  become: true
-  become_user: svntogit
-  ignore_errors: true
-  register: git_public_remote
-  changed_when: "git_public_remote.rc == 0"
-
-# The following command also serves as a way to get the data the first time the repo is set up
-- name: Configure svntogit pull upstream branch  # noqa command-instead-of-module
-  command: git pull --set-upstream public master chdir=/srv/svntogit/repos/{{ item }}
-  environment:
-    SHELL: /bin/bash
-  with_items:
-    - community
-    - packages
-  become: true
-  become_user: svntogit
-  register: git_pull_upstream
-  changed_when: "git_pull_upstream.rc == 0"
-
-- name: Fix svntogit home permissions
-  file: path="/srv/svntogit" state=directory owner=svntogit group=svntogit mode=0775
-
-- name: Install repo helpers
-  copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755
-  with_items:
-    - lsrepo
-    - checklib32
-
 - name: Install createlinks script
   copy: src=createlinks dest=/usr/local/bin/createlinks owner=root group=root mode=0755
 
@@ -304,18 +256,6 @@
   tags:
     - firewall
 
-- name: Configure svnserve
-  copy: dest=/etc/conf.d/svnserve owner=root group=root mode=0644 content="SVNSERVE_ARGS=-R -r /srv/svn\n"
-
-- name: Start and enable svnserve
-  service: name=svnserve enabled=yes state=started
-
-- name: Open firewall hole for svnserve
-  ansible.posix.firewalld: service=svn permanent=true state=enabled immediate=yes
-  when: configure_firewall
-  tags:
-    - firewall
-
 - name: Install systemd timers
   copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
   with_items:
@@ -327,12 +267,8 @@
     - lastsync.service
     - gen_rsyncd.timer
     - gen_rsyncd.service
-    - arch-svntogit.timer
-    - arch-svntogit.service
     - createlinks.timer
     - createlinks.service
-  notify:
-    - Daemon reload
 
 - name: Activate systemd timers
   service: name={{ item }} enabled=yes state=started
@@ -341,5 +277,9 @@
     - sourceballs.timer
     - lastsync.timer
     - gen_rsyncd.timer
-    - arch-svntogit.timer
     - createlinks.timer
+
+# Allow different maintainers (unix users) to touch the git state repositories
+# https://git-scm.com/docs/git-config/2.35.2#Documentation/git-config.txt-safedirectory
+- name: Install gitconfig
+  copy: src=gitconfig dest=/etc/gitconfig owner=root group=root mode=0644

roles/dbscripts/templates/authors.conf.j2

+#jinja2: lstrip_blocks: True
+{% set ns = namespace(packager=false) %}
+{% for user in arch_users | sort %}
+	{% set ns.packager = false %}
+    {% for group in packager_groups | sort %}
+        {% if group in arch_users[user].groups %}
+			{% set ns.packager = true %}
+        {% endif %}
+    {% endfor %}
+	{% if ns.packager is sameas true %}
+{{ arch_users[user].name }} <{{ arch_users[user].email }}> {{ user }}
+	{% endif %}
+{% endfor %}

roles/dbscripts/templates/nginx.d.conf.j2

@@ -21,6 +21,14 @@ server {
         allow all;
     }
 
+    location ~ /git(/.*) {
+        fastcgi_pass  unix:/run/fcgiwrap.sock;
+        include       fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME     /usr/lib/git-core/git-http-backend;
+        fastcgi_param GIT_PROJECT_ROOT    /srv/repos;
+        fastcgi_param PATH_INFO           $1;
+    }
+
     location / {
         satisfy any;
         auth_request /devel/mirrorauth/;

roles/dbscripts/templates/rsyncd.conf.proto.j2

@@ -105,18 +105,14 @@ hosts deny = *
 	path = /srv/ftp/core
 	comment = core repository
 
+[core-testing]
+	path = /srv/ftp/core-testing
+	comment = core-testing repository
+
 [extra]
 	path = /srv/ftp/extra
 	comment = extra repository
 
-[community]
-	path = /srv/ftp/community
-	comment = community repository
-
-[testing]
-	path = /srv/ftp/testing
-	comment = testing repository
-
-[community-testing]
-	path = /srv/ftp/community-testing
-	comment = community-testing repository
+[extra-testing]
+	path = /srv/ftp/extra-testing
+	comment = extra-testing repository

roles/debuginfod/defaults/main.yml

@@ -4,4 +4,3 @@ debuginfod_port: 8002
 debuginfod_database: /var/cache/debuginfod/debuginfod.sqlite
 debuginfod_package_paths:
   - /srv/ftp/pool/packages-debug
-  - /srv/ftp/pool/community-debug

roles/dovecot/files/pam.d.dovecot

-session required pam_lastlog.so
-auth    required pam_unix.so
-account required pam_unix.so

roles/dovecot/tasks/main.yml

@@ -27,9 +27,6 @@
 - name: Add vmail user
   user: name=vmail uid=5000 shell=/usr/bin/nologin group=vmail
 
-- name: Install PAM config
-  copy: src=pam.d.dovecot dest=/etc/pam.d/dovecot mode=0644 owner=root group=root
-
 - name: Create dovecot sieve dir
   file: path=/etc/dovecot/sieve state=directory owner=root group=root mode=0755
 

roles/gitlab/files/sshd_config

-# From upstream https://gitlab.com/gitlab-org/omnibus-gitlab/-/blob/master/docker/assets/sshd_config
-Port 222
-ChallengeResponseAuthentication no
-HostKey /etc/gitlab/ssh_host_rsa_key
-HostKey /etc/gitlab/ssh_host_ecdsa_key
-HostKey /etc/gitlab/ssh_host_ed25519_key
-Protocol 2
-PermitRootLogin no
-PasswordAuthentication no
-MaxStartups 100:30:200
-AllowUsers git
-PrintMotd no
-PrintLastLog no
-PubkeyAuthentication yes
-AuthorizedKeysFile %h/.ssh/authorized_keys /gitlab-data/ssh/authorized_keys
-AuthorizedKeysCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check git %u %k
-AuthorizedKeysCommandUser git
-
-# Fix: User username not allowed because account is locked
-# With "UsePAM yes" the "!" is seen as a password disabled account and not fully locked so ssh public key login works
-UsePAM yes
-
-# Disabling use DNS in ssh since it tends to slow connecting
-UseDNS no
-
-# Enable the use of Git protcol v2
-AcceptEnv GIT_PROTOCOL

roles/gitlab/tasks/main.yml

@@ -4,8 +4,8 @@
 - name: Start docker
   service: name=docker enabled=yes state=started
 
-- name: Copy sshd_config into place to change the port to 222
-  copy: src=sshd_config dest=/srv/gitlab/sshd_config owner=root group=root mode=640
+- name: Create directory for gitlab
+  file: path=/srv/gitlab state=directory owner=root group=root mode=0755
 
 - name: Start docker gitlab image
   docker_container:
@@ -46,8 +46,6 @@
         letsencrypt['enable'] = true
         letsencrypt['contact_emails'] = ['webmaster@archlinux.org']
         gitlab_rails['lfs_enabled'] = true
-        gitlab_rails['gitlab_shell_ssh_port'] = 222
-        gitlab_rails['gitlab_default_can_create_group'] = false
         gitlab_rails['gitlab_username_changing_enabled'] = false
         gitlab_rails['initial_root_password'] = "{{ vault_gitlab_root_password }}"
         gitlab_rails['smtp_enable'] = true
@@ -101,18 +99,24 @@
       - "/srv/gitlab/config:/etc/gitlab"
       - "/srv/gitlab/logs:/var/log/gitlab"
       - "/srv/gitlab/data:/var/opt/gitlab"
-      - "/srv/gitlab/sshd_config:/assets/sshd_config"
 
 - name: Prune unused docker images
   docker_prune:
     images: true
 
+- name: Setup 222 -> 22 port redirect
+  ansible.posix.firewalld: state=enabled permanent=true immediate=yes
+    rich_rule="rule family=ipv4 forward-port port=222 protocol=tcp to-port=22"
+  tags:
+    - firewall
+
 - name: Open firewall holes
   ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
   when: configure_firewall
   with_items:
     - "80/tcp"
     - "443/tcp"
+    - "22/tcp"
     - "222/tcp"
   tags:
     - firewall

roles/gitlab_runner/files/libvirt-executor-update-base-image

 #!/bin/bash
 set -o nounset -o errexit
 readonly libvirt_default_pool_path="/var/lib/libvirt/images"
+readonly arch_boxes_signing_key=/usr/local/lib/libvirt-executor/arch-boxes.asc
+readonly arch_boxes_fingerprint=1B9A16984A4E8CB448712D2AE0B78BF4326C6F8F
 
 cleanup() {
   set +o errexit
@@ -19,13 +21,15 @@ trap cleanup EXIT
 
 cd "${tmpdir}"
 curl -sSf --remote-name-all https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-basic.qcow2{,.sig}
-sq verify --signer-cert /usr/local/lib/libvirt-executor/arch-boxes.asc --detached Arch-Linux-x86_64-basic.qcow2.sig Arch-Linux-x86_64-basic.qcow2
+sq import "${arch_boxes_signing_key}"
+sq link add --all "${arch_boxes_fingerprint}"
+sq verify --signer-cert "${arch_boxes_fingerprint}" --detached Arch-Linux-x86_64-basic.qcow2.sig Arch-Linux-x86_64-basic.qcow2
 
 image=Arch-Linux-x86_64-basic.img
 qemu-img convert -f qcow2 -O raw Arch-Linux-x86_64-basic.qcow2 Arch-Linux-x86_64-basic.img
 
 loopdev="$(losetup --find --partscan --show "${image}")"
-mount --mkdir "${loopdev}p2" mnt
+mount --mkdir "${loopdev}p3" mnt
 
 arch-chroot mnt pacman-key --init
 arch-chroot mnt pacman-key --populate

roles/gluebuddy/files/gluebuddy_download.sh

@@ -6,6 +6,15 @@ NAME=gluebuddy
 LATEST_GLUEBUDDY_FILE=/root/latest_release
 readonly PROJECT_ID="archlinux%2Fgluebuddy"
 
+readonly TRUSTED_UIDs=(
+	anthraxx@archlinux.org
+	jelle@archlinux.org
+)
+readonly TRUSTED_KEYS=(
+	E240B57E2C4630BA768E2F26FC1B547C8D8172C8
+	E499C79F53C96A54E572FEE1C06086337C50773E
+)
+
 RELEASES="$(curl --silent --show-error --fail "https://gitlab.archlinux.org/api/v4/projects/${PROJECT_ID}/releases")"
 LATEST_RELEASE_TAG="$(jq -r .[0].tag_name <<< "${RELEASES}")"
 
@@ -28,12 +37,20 @@ links=($LINKS)
 
 for i in "${links[@]}"
 do
-  curl -O $i
+  curl --silent --show-error --fail --location --remote-name "$i"
+done
+
+for uid in "${TRUSTED_UIDs[@]}"; do
+	sq wkd get "${uid}"
+done
+
+for fp in "${TRUSTED_KEYS[@]}"; do
+	sq link add --all "${fp}"
 done
 
-sq verify --signer-cert <(sq wkd get anthraxx@archlinux.org) --detached ${NAME}.sig ${NAME} || \
-	sq verify --signer-cert <(sq wkd get jelle@archlinux.org) --detached ${NAME}.sig ${NAME}
+sq verify --signer-cert "${TRUSTED_KEYS[0]}" --detached ${NAME}.sig ${NAME} || \
+	sq verify --signer-cert "${TRUSTED_KEYS[1]}" --detached ${NAME}.sig ${NAME}
 
 mv ${NAME} /usr/local/bin/${NAME}
 chmod +x /usr/local/bin/${NAME}
-echo $LATEST_RELEASE_TAG > $LATEST_GLUEBUDDY_FILE
+echo "$LATEST_RELEASE_TAG" > $LATEST_GLUEBUDDY_FILE

roles/grafana/files/dashboards/keycloak.json

@@ -359,7 +359,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "sum by (realm)(increase(keycloak_logins{instance=\"$instance\",job=\"keycloak\"}[1h]))",
+          "expr": "sum by (realm)(increase(keycloak_logins_total{instance=\"$instance\",job=\"keycloak\"}[1h]))",
           "format": "time_series",
           "hide": false,
           "interval": "",
@@ -462,7 +462,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "increase(keycloak_failed_login_attempts{instance=\"$instance\",job=\"keycloak\",provider=\"keycloak\",realm=\"$realm\"}[1h])",
+          "expr": "increase(keycloak_failed_login_attempts_total{instance=\"$instance\",job=\"keycloak\",provider=\"keycloak\",realm=\"$realm\"}[1h])",
           "format": "time_series",
           "hide": false,
           "instant": false,
@@ -564,7 +564,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "increase(keycloak_logins{instance=\"$instance\",job=\"keycloak\",realm=\"$realm\",provider=\"keycloak\"}[1h])",
+          "expr": "increase(keycloak_logins_total{instance=\"$instance\",job=\"keycloak\",realm=\"$realm\",provider=\"keycloak\"}[1h])",
           "format": "time_series",
           "hide": false,
           "interval": "",
@@ -666,7 +666,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "increase(keycloak_failed_login_attempts{instance=\"$instance\",job=\"keycloak\",provider=\"keycloak\",realm=\"$realm\",client_id=\"$ClientId\"}[1h])",
+          "expr": "increase(keycloak_failed_login_attempts_total{instance=\"$instance\",job=\"keycloak\",provider=\"keycloak\",realm=\"$realm\",client_id=\"$ClientId\"}[1h])",
           "format": "time_series",
           "hide": false,
           "interval": "",
@@ -767,7 +767,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "increase(keycloak_registrations{instance=\"$instance\",job=\"keycloak\",realm=\"$realm\",provider=\"keycloak\"}[1h])",
+          "expr": "increase(keycloak_registrations_total{instance=\"$instance\",job=\"keycloak\",realm=\"$realm\",provider=\"keycloak\"}[1h])",
           "format": "time_series",
           "hide": false,
           "interval": "",
@@ -869,7 +869,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "increase(keycloak_registrations_errors{instance=\"$instance\",job=\"keycloak\",provider=\"keycloak\",realm=\"$realm\",client_id=\"$ClientId\"}[1h])",
+          "expr": "increase(keycloak_registrations_errors_total{instance=\"$instance\",job=\"keycloak\",provider=\"keycloak\",realm=\"$realm\",client_id=\"$ClientId\"}[1h])",
           "format": "time_series",
           "hide": false,
           "interval": "",
@@ -943,7 +943,7 @@
         "multi": false,
         "name": "instance",
         "options": [],
-        "query": "label_values(keycloak_logins,instance)",
+        "query": "label_values(keycloak_logins_total,instance)",
         "refresh": 1,
         "regex": "",
         "skipUrlSync": false,
@@ -970,7 +970,7 @@
         "multi": false,
         "name": "realm",
         "options": [],
-        "query": "label_values(keycloak_logins{instance=\"$instance\",job=\"keycloak\",provider=\"keycloak\"},realm)",
+        "query": "label_values(keycloak_logins_total{instance=\"$instance\",job=\"keycloak\",provider=\"keycloak\"},realm)",
         "refresh": 1,
         "regex": "",
         "skipUrlSync": false,
@@ -990,14 +990,14 @@
           "value": ""
         },
         "datasource": "Prometheus",
-        "definition": "label_values(keycloak_logins{instance=\"$instance\",job=\"keycloak\",provider=\"keycloak\",realm=\"$realm\"},client_id)",
+        "definition": "label_values(keycloak_logins_total{instance=\"$instance\",job=\"keycloak\",provider=\"keycloak\",realm=\"$realm\"},client_id)",
         "hide": 0,
         "includeAll": false,
         "label": "ClientId",
         "multi": false,
         "name": "ClientId",
         "options": [],
-        "query": "label_values(keycloak_logins{instance=\"$instance\",job=\"keycloak\",provider=\"keycloak\",realm=\"$realm\"},client_id)",
+        "query": "label_values(keycloak_logins_total{instance=\"$instance\",job=\"keycloak\",provider=\"keycloak\",realm=\"$realm\"},client_id)",
         "refresh": 1,
         "regex": "",
         "skipUrlSync": false,

roles/grafana/templates/grafana.ini.j2

@@ -91,6 +91,14 @@ root_url = https://{{grafana_domain}}
 #exampleHeader1 = exampleValue1
 #exampleHeader2 = exampleValue2
 
+#################################### GRPC Server #########################
+;[grpc_server]
+;network = "tcp"
+;address = "127.0.0.1:10000"
+;use_tls = false
+;cert_file =
+;key_file =
+
 #################################### Database ####################################
 [database]
 # You can configure the database connection by specifying type, host, name, user and password
@@ -224,6 +232,9 @@ path = ":memory"
 # Limits the number of rows that Grafana will process from SQL data sources.
 ;row_limit = 1000000
 
+# Sets a custom value for the `User-Agent` header for outgoing data proxy requests. If empty, the default value is `Grafana/<BuildVersion>` (for example `Grafana/9.0.0`).
+;user_agent =
+
 #################################### Analytics ####################################
 [analytics]
 # Server reporting, sends usage counters to stats.grafana.org every 24 hours.
@@ -273,6 +284,9 @@ check_for_updates = false
 # Rudderstack Config url, optional, used by Rudderstack SDK to fetch source config
 ;rudderstack_config_url =
 
+# Intercom secret, optional, used to hash user_id before passing to Intercom via Rudderstack
+;intercom_secret =
+
 # Controls if the UI contains any links to user feedback forms
 ;feedback_links_enabled = true
 
@@ -421,7 +435,7 @@ allow_sign_up = false
 # Set this value to automatically add new users to the provided organization (if auto_assign_org above is set to true)
 ;auto_assign_org_id = 1
 
-# Default role new users will be automatically assigned (if disabled above is set to true)
+# Default role new users will be automatically assigned (if auto_assign_org above is set to true)
 ;auto_assign_org_role = Viewer
 
 # Require email validation before sign up completes
@@ -496,6 +510,7 @@ signout_redirect_url = https://accounts.archlinux.org/realms/archlinux/protocol/
 ;oauth_state_cookie_max_age = 600
 
 # Skip forced assignment of OrgID 1 or 'auto_assign_org_id' for social logins
+# Deprecated, use skip_org_role_sync option for specific provider instead.
 ;oauth_skip_org_role_update_sync = false
 
 # limit of api_key seconds to live before expiration
@@ -529,6 +544,8 @@ hide_version = true
 
 #################################### GitHub Auth ##########################
 [auth.github]
+;name = GitHub
+;icon = github
 ;enabled = false
 ;allow_sign_up = true
 ;auto_login = false
@@ -547,6 +564,8 @@ hide_version = true
 
 #################################### GitLab Auth #########################
 [auth.gitlab]
+;name = GitLab
+;icon = gitlab
 ;enabled = false
 ;allow_sign_up = true
 ;auto_login = false
@@ -565,6 +584,8 @@ hide_version = true
 
 #################################### Google Auth ##########################
 [auth.google]
+;name = Google
+;icon = google
 ;enabled = false
 ;allow_sign_up = true
 ;auto_login = false
@@ -580,6 +601,8 @@ hide_version = true
 
 #################################### Grafana.com Auth ####################
 [auth.grafana_com]
+;name = Grafana.com
+;icon = grafana
 ;enabled = false
 ;allow_sign_up = true
 ;auto_login = false
@@ -591,7 +614,8 @@ hide_version = true
 
 #################################### Azure AD OAuth #######################
 [auth.azuread]
-;name = Azure AD
+;name = Microsoft
+;icon = microsoft
 ;enabled = false
 ;allow_sign_up = true
 ;auto_login = false
@@ -898,6 +922,9 @@ mode = syslog
 # global limit of alerts
 ;global_alert_rule = -1
 
+# global limit of correlations
+; global_correlations = -1
+
 #################################### Unified Alerting ####################
 [unified_alerting]
 #Enable the Unified Alerting sub-system and interface. When enabled we'll migrate all of your alert rules and notification channels to the new system. New alert rules will be created and your notification channels will be converted into an Alertmanager configuration. Previous data is preserved to enable backwards compatibility but new data is removed.```
@@ -1186,6 +1213,8 @@ mode = syslog
 ;plugin_catalog_url = https://grafana.com/grafana/plugins/
 # Enter a comma-separated list of plugin identifiers to hide in the plugin catalog.
 ;plugin_catalog_hidden_plugins =
+# Log all backend requests for core and external plugins.
+;log_backend_requests = false
 
 #################################### Grafana Live ##########################################
 [live]
@@ -1270,6 +1299,14 @@ mode = syslog
 ;grpc_host =
 ;grpc_port =
 
+[support_bundles]
+# Enable support bundle creation (default: true)
+#enabled = true
+# Only server admins can generate and view support bundles (default: true)
+#server_admin_only = true
+# If set, bundles will be encrypted with the provided public keys separated by whitespace
+#public_keys = ""
+
 [enterprise]
 # Path to a valid Grafana Enterprise license.jwt file
 ;license_path =

roles/keycloak/tasks/main.yml

 - name: Install keycloak
-  pacman: name=jre11-openjdk,keycloak,keycloak-archlinux-theme,python-passlib state=present
+  pacman: name=jre11-openjdk,keycloak,keycloak-archlinux-theme,keycloak-metrics-spi,python-passlib state=present
 
 - name: Create postgres keycloak user
   postgresql_user: name="{{ vault_keycloak_db_user }}" password="{{ vault_keycloak_db_password }}"

roles/matrix/tasks/main.yml

@@ -78,7 +78,7 @@
 - name: Install synapse
   pip:
     name:
-      - 'matrix-synapse[postgres,systemd,url_preview,redis,oidc,user-search]==1.80.0'
+      - 'matrix-synapse[postgres,oidc,systemd,url-preview,redis,user-search]==1.83.0'
     state: latest
     extra_args: '--upgrade-strategy=eager'
     virtualenv: /var/lib/synapse/venv
@@ -149,7 +149,7 @@
   git:
     repo: https://github.com/matrix-org/matrix-appservice-irc
     dest: /var/lib/synapse/matrix-appservice-irc
-    version: 0.37.0
+    version: 0.38.0
     force: true
   become: true
   become_user: synapse

roles/matrix/templates/homeserver.yaml.j2

@@ -135,6 +135,7 @@ oidc_providers:
     client_secret: "{{ vault_matrix_openid_client_secret }}"
     scopes: ["openid", "profile", "email", "roles"]
     allow_existing_users: false
+    enable_registration: true
     backchannel_logout_enabled: true
     user_mapping_provider:
       config:

roles/matrix/templates/turnserver.conf.j2

 # Coturn TURN SERVER configuration file
 #
 # Boolean values note: where a boolean value is supposed to be used,
-# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
+# you can use '0', 'off', 'no', 'false', or 'f' as 'false',
 # and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
 # If the value is missing, then it means 'true' by default.
 #
@@ -23,7 +23,7 @@ listening-port=2410
 # "automatically" recognizes the type of traffic. Actually, two listening
 # endpoints (the "plain" one and the "tls" one) are equivalent in terms of
 # functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
-# For secure TCP connections, Coturn currently supports
+# For secure TCP connections, Coturn currently supports SSL version 3 and
 # TLS version 1.0, 1.1 and 1.2.
 # For secure UDP connections, Coturn supports DTLS version 1.
 #
@@ -389,7 +389,7 @@ realm={{ matrix_domain }}
 # Total bytes-per-second bandwidth the TURN server is allowed to allocate
 # for the sessions, combined (input and output network streams are treated separately).
 #
-# bps-capacity=0
+#bps-capacity=0
 
 # Uncomment if no UDP client listener is desired.
 # By default UDP client listener is always started.
@@ -611,7 +611,8 @@ no-stun
 
 # This is the timestamp/username separator symbol (character) in TURN REST API.
 # The default value is ':'.
-# rest-api-separator=:
+#
+#rest-api-separator=:
 
 # Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
 # This is an extra security measure.
@@ -663,7 +664,7 @@ secure-stun
 #
 #mobility
 
-# Allocate Address Family according (DEPRECATED and will be removed in favour of allocation-default-address-family)
+# Allocate Address Family according (DEPRECATED and will be removed in favor of allocation-default-address-family)
 # If enabled then TURN server allocates address family according  the TURN
 # Client <=> Server communication address family.
 # (By default Coturn works according RFC 6156.)
@@ -678,10 +679,10 @@ secure-stun
 # Possible values: "ipv4" or "ipv6" or "keep" 
 # "keep" sets the allocation default address family according to 
 # the TURN client allocation request connection address family.
+#
 #allocation-default-address-family="ipv4"
 #allocation-default-address-family="ipv4"
 
-
 # User name to run the process. After the initialization, the turnserver process
 # will attempt to change the current user ID to that user.
 #
@@ -734,13 +735,14 @@ no-cli
 #web-admin-port=8080
 
 # Web-admin server listen on STUN/TURN worker threads
-# By default it is disabled for security resons! (Not recommended in any production environment!)
+# By default it is disabled for security reasons! (Not recommended in any production environment!)
 #
 #web-admin-listen-on-workers
 
-#acme-redirect=http://redirectserver/.well-known/acme-challenge/
 # Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
 # Default is '', i.e. no special handling for such requests.
+#
+#acme-redirect=http://redirectserver/.well-known/acme-challenge/
 
 # Server relay. NON-STANDARD AND DANGEROUS OPTION.
 # Only for those applications when you want to run

roles/networking/files/dns.conf

@@ -8,8 +8,8 @@ UseDNS=false
 UseDNS=false
 
 [Network]
-DNS=1.1.1.1#cloudflare-dns.com
-DNS=1.0.0.1#cloudflare-dns.com
-DNS=2606:4700:4700::1111#cloudflare-dns.com
-DNS=2606:4700:4700::1001#cloudflare-dns.com
+DNS=9.9.9.9#dns.quad9.net
+DNS=149.112.112.112#dns.quad9.net
+DNS=2620:fe::fe#dns.quad9.net
+DNS=2620:fe::9#dns.quad9.net
 DNSOverTLS=true