Compare revisions

80d25742 · 6c5a35b1 · 5c92f503 · 9301b599 · 87472ae0 · 268bc4d0
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -18,3 +18,5 @@ skip_list:
  - fqcn
  # Allow free-form module calling syntax
  - no-free-form
+  # Allow role includes with unprefixed role variables
+  - var-naming[no-role-prefix]
--- a/.gitlab/issue_templates/Offboarding.md
+++ b/.gitlab/issue_templates/Offboarding.md
@@ -29,6 +29,7 @@ This template should be used for offboarding Arch Linux team members.
 - [ ] Remove staff cloak on Libera Chat ([Group contacts](https://wiki.archlinux.org/title/Arch_IRC_channels#Libera_Chat_group_contacts)).
 - [ ] Remove the user from relevant staff groups on Keycloak.
 - [ ] Move the user from the public list of their usergroup on archweb ([support staff](https://archlinux.org/people/support-staff/) / [TUs](https://archlinux.org/people/trusted-users/) / [devs](https://archlinux.org/people/developers/)) to the respective fellow site ([fellow support staff](https://archlinux.org/people/support-staff-fellows/) / [fellow TUs](https://archlinux.org/people/trusted-user-fellows/) / [fellow devs](https://archlinux.org/people/developer-fellows/))
+- [ ] Remove the user from the Arch Linux github organisation

 ## Main key offboarding checklist

@@ -40,6 +41,8 @@ This template should be used for offboarding Arch Linux team members.
 - [ ] Remove member from [arch-tu](https://lists.archlinux.org/mailman3/lists/arch-tu.lists.archlinux.org/members/member/) and/or [arch-dev](https://lists.archlinux.org/mailman3/lists/arch-dev.lists.archlinux.org/members/member/) mailing lists.
 - [ ] Ask the user to leave `#archlinux-tu` and/or `#archlinux-dev` on Libera Chat and forget the password(s).
 - [ ] Create an issue in [archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring) using the [*"Remove Packager Key"*](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/new?issuable_template=Remove%20Packager%20Key) template.
+- [ ] Remove [stale package relations](https://archlinux.org/packages/stale_relations/) for the now inactive user.
+- [ ] Remove their extended permissions on AURweb

 ## DevOps offboarding checklist


--- a/.gitlab/issue_templates/Onboarding.md
+++ b/.gitlab/issue_templates/Onboarding.md
@@ -55,12 +55,12 @@ https://www.gnupg.org/gph/en/manual/x135.html
  <!-- The ticket should be created by the developer becoming a new main key holder -->
 - [ ] Create an issue in [archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring) using the [*"New Main Key"*](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/new?issuable_template=New%20Main%20Key) template.

-## TU/Developer onboarding checklist
+## Package Maintainer/Developer onboarding checklist

 <!-- The ticket should be created by a sponsor of the new packager -->
 - [ ] Create an issue in [archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring) using the [*"New Packager Key"*](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/new?issuable_template=New%20Packager%20Key) template.
- [ ] Assign the user to the `Trusted Users` or `Developers` group on Keycloak.
- [ ] Assign the user to the `Trusted Users` or `Developers` group on [archlinux.org](https://archlinux.org/admin/auth/user/).
+- [ ] Assign the user to the correct group in the `Arch Linux Staff/Package Maintainer Team/` group on Keycloak.
+- [ ] Assign the user to the `Package Maintainers` or `Developers` group on [archlinux.org](https://archlinux.org/admin/auth/user/).
 - [ ] Subscribe **communication e-mail address** to internal [arch-tu](https://lists.archlinux.org/mailman3/lists/arch-tu.lists.archlinux.org/mass_subscribe/) or [arch-dev](https://lists.archlinux.org/mailman3/lists/arch-dev.lists.archlinux.org/mass_subscribe/) mailing list.
 - [ ] Give the user access to `#archlinux-tu` or `#archlinux-dev` on Libera Chat.


--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ Install these packages:
 ### Instructions

 All systems are set up the same way. For the first time setup in the Hetzner rescue system,
-run the provisioning script: `ansible-playbook playbooks/tasks/install-arch.yml -l $host`.
+run the provisioning script: `ansible-playbook playbooks/tasks/install_arch.yml -l $host`.
 The provisioning script configures a sane basic systemd with sshd. By design, it is NOT idempotent.
 After the provisioning script has run, it is safe to reboot.

@@ -36,19 +36,23 @@ secrets like Hetzner credentials; access to the `super` vault is controlled by
 the `vault_super_pgpkeys` variable.

 All the keys should be on the local user gpg keyring and at **minimum** be
-locally signed with `--lsign-key`. This is necessary for running any of the
-`reencrypt-vault-default-key`, `reencrypt-vault-super-key `or `fetch-borg-keys`
-tasks.
+locally signed with `--lsign-key` (or if you use TOFU, have `--tofu-policy
+good`). This is necessary for running any of the `reencrypt-vault-default-key`,
+`reencrypt-vault-super-key `or `fetch-borg-keys` tasks.

 #### Note about packer

 We use packer to build snapshots on hcloud to use as server base images.
 In order to use this, you need to install packer and then run

-    packer build -var $(misc/get_key.py misc/vaults/vault_hetzner.yml hetzner_cloud_api_key --format env) packer/archlinux.json
+    packer build -var $(misc/get_key.py misc/vaults/vault_hetzner.yml hetzner_cloud_api_key --format env) packer/archlinux.pkr.hcl

 This will take some time after which a new snapshot will have been created on the primary hcloud archlinux project.

+For the sandbox project please run
+
+    packer build -var $(misc/get_key.py misc/vaults/vault_hetzner.yml hetzner_cloud_sandbox_infrastructure_api_key --format env | sed 's/_sandbox_infrastructure//') -var install_ec2_public_keys_service=true packer/archlinux.pkr.hcl
+
 #### Note about terraform

 We use terraform in two ways:

--- a/docs/geomirrors.md
+++ b/docs/geomirrors.md
+# Geo mirrors
+
+DevOps team maintain a geo mirror across the world. The Geo mirror is public facing on geo.mirror.pkgbuild.com domain and it will resolve the closest to the location of the requester mirror.
+
+## Locations
+
+| Mirror | Location |
+| ----------- | ----------- |
+| https://sydney.mirror.pkgbuild.com/ | Australia |
+| https://europe.mirror.pkgbuild.com/ | Czechia |
+| https://asia.mirror.pkgbuild.com/ | Hong Kong |
+| https://seoul.mirror.pkgbuild.com/ | South Korea |
+| https://london.mirror.pkgbuild.com/ | United Kingdom |
+| https://america.mirror.pkgbuild.com/ | United States |
+
+### Logical split
+The continent mirrors america, asia and europe contain the archive mirrors as well as repository mirrors. The city mirrors have just the repositories hosted.
+
+## Requirements
+- Host with Arch Linux installed
+- root access provided
+- Enough storage to host repos / debugrepos (at least)
+- Bandwidth (depends on location)
+
+## Adding a new mirror box
+- Add new entries in `hosts` file under `mirrors` and `geo_mirrors` sections
+- Adjust terraform `tf-stage1/archlinux.tf` to include the IPv4 and IPv6 entries of the new server
+- Adjust terraform `tf-stage1/templates.tf` to include the IPv4 and IPv6 entries of the new server as a `NS` record for `geo.mirror.pkgbuild.com`
+- Add a new files in `host_vars`
+    - `host_vars/<fqdn>/misc`
+        Containing all the information for the mirror itself
+    - `host_vars/<fqdn>/vault_wireguard.yml`
+        Containing the wireguard private key in encrypted vault
+
+## Ansible Playbooks execution
+
+| Playbook | Roles | Reason | Hosts (limits) |Comments |
+| ----------- | ----------- | ----------- | ----------- |  ----------- |
+| install_arch | All | Install Arch | | Optional if you can |
+| mirrors.yml | All | Setup mirror | `<fqdn>` | |
+| redirect.archlinux.org.yml | dyn_dns | Make TXT records | | |
+| gemini.archlinux.org.yml | dbscripts | Allow debug repo syncing | | |
+| mirrors.yml | geo_dns | Add new domain to DNS | All other mirrors from geo.mirror | |
+| monitoring.archlinux.org.yml | wireguard,prometheus | Allow loki and prometheus to fetch data | | |
+| archlinux.org.yml | postgres,wireguard | Allow wireguard IP to connect for Mirror check | | Optional see Check Location below |
+
+### Add mirror in geo.mirror.pkgbuild.com
+
+Add mirror IP and FQDN in archweb admin https://archlinux.org/admin/mirrors/mirror/ under the `geo.mirror.pkgbuild.com` entry.
+
+### Check Location (optional)
+
+If you want the server to check for ping and stats create an entry in:
+ https://archlinux.org/admin/mirrors/checklocation/
--- a/docs/matrix.md
+++ b/docs/matrix.md
@@ -11,37 +11,47 @@ For the initial sign-in you need to use a client that supports OpenID Single-Sig
 [Element Web](https://app.element.io/). Enter `@username:archlinux.org` as the username and Element
 should offer to sign into our homeserver.

-You will be automatically invited to several rooms:
-  - `#archlinux:archlinux.org`: A public room for Arch Linux users.
-  - `#internal:archlinux.org`: A staff-only room with end-to-end encryption.
+You will be automatically invited to several spaces and rooms:
+  - `#public-space:archlinux.org`: A public space for Arch Linux users.
+    - `#archlinux:archlinux.org`: A public room for Arch Linux users.
+  - `#staff-space:archlinux.org`: A staff-only space for Arch Linux staff.
+    - `#internal:archlinux.org`: A staff-only room with end-to-end encryption.

 Password login is currently disabled, which might exclude some clients. It can be re-enabled should
 demand exist.

 If you need to provide your client with a homeserver address, use `https://matrix.archlinux.org`.

-## IRC bridges
+## Our rooms bridged to IRC

-### Our bridge
+We bridge several of our private IRC channels on Libera.Chat to Matrix.

-We bridge several of our private IRC channels on Libera Chat to Matrix, which you need to be invited
-into:
+These rooms are open to all staff-space members:
+  - `#packaging:archlinux.org`: Bridged with `#archlinux-packaging`.
+  - `#staff:archlinux.org`: Bridged with `#archlinux-staff`.
+
+The following rooms are not open to all staff, so you need to be invited:
  - `#developers:archlinux.org`: Bridged with `#archlinux-dev`.
  - `#trusted-users:archlinux.org`: Bridged with `#archlinux-tu`.
-  - `#staff:archlinux.org`: Bridged with `#archlinux-staff`.

 Please request an invitation in `#internal:archlinux.org` for the rooms you need to be in.

-### Matrix.org bridge
-
-Channels without keys are available via the official Libera Chat bridge. For example:
-  - `#archlinux-devops:libera.chat`: Bridged with `#archlinux-devops`.
-  - `#archlinux-projects:libera.chat`: Bridged with `#archlinux-projects`.
-
-**Please avoid joining large bridged rooms (such as `#archlinux:libera.chat`), as these slow down
-the server immensely.**
-
-Libera Chat may require you to have a registered nick to join certain channels. Once
-`@appservice:libera.chat` contacts you, tell it `!username <username>`, then `!storepass <password>`
-with the username and the password of your Libera Chat NickServ account. Then `!reconnect` and it
-will reconnect you as registered.
+These rooms are bridged to public channels, for which you should log into Libera.Chat via SASL:
+  - `#aurweb:archlinux.org`: Bridged with `#archlinux-aurweb`.
+  - `#bugs:archlinux.org`: Bridged with `#archlinux-bugs`.
+  - `#devops:archlinux.org`: Bridged with `#archlinux-devops`.
+  - `#pacman:archlinux.org`: Bridged with `#archlinux-pacman`.
+  - `#projects:archlinux.org`: Bridged with `#archlinux-projects`.
+  - `#reproducible:archlinux.org`: Bridged with `#archlinux-reproducible`.
+  - `#security:archlinux.org`: Bridged with `#archlinux-security`.
+  - `#testing:archlinux.org`: Bridged with `#archlinux-testing`.
+  - `#wiki:archlinux.org`: Bridged with `#archlinux-wiki`.
+
+If you fail to do so, your bridged IRC user cannot join the channels, meaning your messages won't be
+bridged. See [Libera.Chat's guide](https://libera.chat/guides/registration) on how to register a
+nickname. Afterwards, contact `@irc-bridge:archlinux.org` and send it the folllowing commands:
+  - `!username <username>`, with the primary nickname you registered with, then
+  - `!storepass <password>`, with your password for NickServ, and then
+  - `!reconnect` to reconnect and attempt the SASL login.
+
+If this worked, `@liberachat_SaslServ:archlinux.org` should contact you after the reconnect.
--- a/docs/servers.md
+++ b/docs/servers.md
@@ -26,11 +26,6 @@
 ### Services
  - aurweb

-## bugs.archlinux.org
-
-### Services
-  - flyspray
-
 ## bbs.archlinux.org

 ### Services

--- a/docs/ssh-hostkeys.txt
+++ b/docs/ssh-hostkeys.txt
@@ -64,11 +64,14 @@
 256 MD5:46:23:93:5c:db:68:8e:a3:0a:eb:cb:18:13:94:73:dc root@archlinux-packer (ED25519)
 3072 MD5:13:8f:2f:f6:c6:90:10:6b:ee:e8:66:e5:60:ef:d8:f8 root@archlinux-packer (RSA)

-# bugs.archlinux.org
-1024 SHA256:c8CCzrXjPnUEi0d0B2yLzMWK935TyjzoCOdcP12BwEM root@archlinux-packer (DSA)
-256 SHA256:z9CfWniDILraPxPn4e8Sao/vaAseI29KyXEhGU3sNRk root@archlinux-packer (ECDSA)
-256 SHA256:ZL2RVyqM9FsvoSNqyXg9J7keN4QxRMD6+m6i4dDYkao root@archlinux-packer (ED25519)
-3072 SHA256:u1iIRQp0fVyM2pgTTca/nxG/iO1QxbfR2nGhnIkohfg root@archlinux-packer (RSA)
+# bugbuddy.archlinux.org
+256 SHA256:W48E9liL/BWU71lLYZJhlS8AGZR1pM7H77O0zFkbnnE root@archlinux-packer (ECDSA)
+256 SHA256:uQhXRN2O7Az5leFjhEcaKiHOk6/Rx+h8J2XIzf/VzlQ root@archlinux-packer (ED25519)
+3072 SHA256:S4ASUzOKMIpkVMwtrcIhJZprajE5JE/Aq/P/tAphqOY root@archlinux-packer (RSA)
+
+256 MD5:6d:35:ad:ef:f6:2c:ca:ad:7f:75:bb:36:60:ad:aa:cd root@archlinux-packer (ECDSA)
+256 MD5:02:38:35:e8:5c:62:dc:56:29:be:fb:1c:96:2c:17:4c root@archlinux-packer (ED25519)
+3072 MD5:0a:a1:a1:44:4e:65:8b:10:f3:54:83:eb:17:41:f1:0c root@archlinux-packer (RSA)

 1024 MD5:cf:10:49:2f:d2:35:99:35:59:8f:e2:54:b3:05:cb:a7 root@archlinux-packer (DSA)
 256 MD5:d1:94:76:51:bb:7b:88:41:03:6d:12:63:a5:03:5f:58 root@archlinux-packer (ECDSA)
@@ -172,6 +175,15 @@
 256 MD5:a8:d3:f8:42:ff:ae:7d:71:1b:fe:93:4b:f7:df:38:5f root@archlinux-packer (ED25519)
 3072 MD5:51:ea:a4:ec:76:87:ee:89:e7:3a:fc:80:ea:fe:2d:9c root@archlinux-packer (RSA)

+# london.mirror.pkgbuild.com
+256 SHA256:nV6DcJxhmdL7pW/NBGFBdlkgr3kR7steSifyE0SAp/o root@archlinux (ECDSA)
+256 SHA256:lUy7cN8+reHUVfR5/L79HcjyUYGIty/lZym3OSx1x7A root@archlinux (ED25519)
+3072 SHA256:KDneiTz4xCynWVBX+IixTwdKvkGE3ftPVqktrv2Ob/k root@archlinux (RSA)
+
+256 MD5:0c:05:09:df:41:f9:a8:56:b5:4b:cc:7e:de:cb:15:83 root@archlinux (ECDSA)
+256 MD5:01:04:d4:d0:94:01:39:29:c8:56:63:95:94:43:4f:b3 root@archlinux (ED25519)
+3072 MD5:32:84:33:41:0a:63:29:53:e9:76:ce:e6:4c:c0:ee:14 root@archlinux (RSA)
+
 # mail.archlinux.org
 1024 SHA256:/d3MC4NoQbPSNgNebFyzNCze4HVHPhITVWy9vWdZUp4 root@archlinux-packer (DSA)
 256 SHA256:IbQnu28PPf6iZnr6DPwzITD4o2DznYMO6j0mkjZXasE root@archlinux-packer (ECDSA)
@@ -238,6 +250,15 @@
 256 MD5:fe:a1:ab:4d:f6:5d:76:f9:a3:99:be:fd:51:ee:77:ed root@archlinux-packer (ED25519)
 3072 MD5:ad:ee:a6:6d:b7:9b:f0:f7:78:9f:df:b4:53:2e:5f:9f root@archlinux-packer (RSA)

+# opensearch.archlinux.org
+256 SHA256:Fq62NmjmKfqHPvXk4t983pikezNWbGUokYoGljjTRlo root@archlinux-packer (ECDSA)
+256 SHA256:9BrCmtZiltz907mhTMA/5UVxy1Uwjmb+eN5yjbcVt2c root@archlinux-packer (ED25519)
+3072 SHA256:EpjAs3u1WeJnK544tQmjmWqUwDBFAOpcYcC5ivPM5hQ root@archlinux-packer (RSA)
+
+256 MD5:90:f9:fb:08:c2:9a:ff:36:e3:a1:d4:e1:74:d7:b2:55 root@archlinux-packer (ECDSA)
+256 MD5:18:a1:76:01:9d:7a:63:14:00:99:0a:fe:6f:0b:e0:c8 root@archlinux-packer (ED25519)
+3072 MD5:fd:a7:f9:8f:dc:6b:c0:b7:da:27:ce:88:a7:0c:a9:5e root@archlinux-packer (RSA)
+
 # phrik.archlinux.org
 1024 SHA256:+482UWH5/pSMZ8VoIgkGZxGOm1tZ72rI5RrZsnQHDVk root@archlinux-packer (DSA)
 256 SHA256:qL+sG+DBwRKII1uPVcFHKQUfQNd7sW0x6iop6/Ki1Og root@archlinux-packer (ECDSA)

--- a/docs/ssh-known_hosts.txt
+++ b/docs/ssh-known_hosts.txt
@@ -40,10 +40,10 @@ bbs.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdH
 bbs.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjGeVCog3j6fl366joK7DyUfWNQ+U7axeF+gkTjkCNl
 bbs.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDD8jZKxtOg4C79uaFlZtGm1rPrk5q2zn9WT5tZVIb/DAMZjwBunmYNN3uY+ZWcKOWh52NBJ6m/Awt3/v4fhVwqFOf2IncZ/rk47f5yofvpCpnsFCCVxofS+YDAzfvw/kyFntOy1XVl3752H5ZZ8dG3sQ+oH6fI7joigzYo8LufYLplqQ0eulA2HyfLqVTOd5ZT9rVENJnZaryVVRtxll3sa+/chyR6NKzLQIHfvjVq743Y01Mtz20p4jw3ASK0bVM9yVpx+KnercmLaYZ+EvrvyJiJsLQ5wFg0cJR3Nwj3sQae3ViOX9krjrXnLe8OMK5khUp+28UvWlh9payxciyZ1mrz/3OB8PUlPQMUeNp20oLfjvEFRoyYw9jVx2LzBPUMLjb1JMnvLrF8ihKzPf9zRSJR3lrL7bTtecLh+frTxY55cx2PlovEIwI7gtGm0pjA8bcfI3/IgtDZOLlWOyjwl2QmS3ArAF4WZfmCg/51fbv50bv2l/Cou+WaAOhrR6U=

-# bugs.archlinux.org
-bugs.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEYyQCHa1ojANfKHvlFbEFQ8Gxvz/iGBnnvf/G1IntEe9iJnw9b63T43dtlQyLReCs5ZeeUUDNMS9g4wSuEjudE=
-bugs.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZLeVfVnG/ShEKO+Aud/MGPEFIbkvPJ+O5M79UXK++r
-bugs.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCwWAqTR0Gr9h9MuSPkh9a97H3qNxetnpWFfUscnrTibEsf+YFr8wx7g661XAkbcb44ni23mkXQpPPYaZRXDrAg/hdcs/OxojyYAfzHjJUjNmRXF8HiGYKE6Ry08NgFw8QkcA3umk5S7po/4GH9n8LS6RKOM2qw1732ZAEowVx59Bnxn7yxdA6xoybESRCc0dcGATR75RvMpK/DO9F0lc1AQsXwABhp7COFzz3Ucd24kJGfXeXuoBqb6W8V223fVbUvn0PZgvB536MTyJT/8+hBN5SsgeXYavP0hLoRkov7IN+5kM39aHWUvySh8NDFeffOn9DdNnpoR6roZDn/KI1klAhnUbKXM7L4r2qNa26J6pb82gegvOVRx9nQooxE5TOiDtTHMqZ856DwhmD8tCfRcMYxA/YP9/aFEaZEGYOoCPVrd2Fq3wM0obaqJD+LdaLRFtk86+AgXODzBFokM7dCvGw2qr00X0+GKhKErqBRYg+WQBnC3J8KG0yyYobnvc=
+# bugbuddy.archlinux.org
+bugbuddy.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPsIKtPGPApC9KUANzjmrmTuQ+p9VCFazMfjSYobqzfX5K8sdwslLcZWRO9u+thx5q+IajDZ773SPIu1nLRr8nA=
+bugbuddy.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwd8YdPeQGAAlc9PsejSUvZFqnJqIclEz40BkjarQWh
+bugbuddy.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmvWFNjc+wfUpsa1Zz+U/gfKW9z8ki5kgor8cO9frtyVweSEegrY8NaWKuOyTSq7jIpn+Zw49udq3QuHLpNvFolGU6T9ZVv/vVTf2a06mPAmyBMqgddFf1z4+L+1EKqQm2v4Zh6fChYGrW+ty5dnrXMIrNcPJEBLUnFeZDTPisnvri5Z0PBTG/u8kjWeZ95aKltFlXONy9GgMp3bhqMUgc08wrlrqpaFJojdHz0g2uxa4L68iSUSsCqlBNYFKx8mnDdpK2VyCVTxwooDds9fov15xV5i2OsLKZLkHm788CwrT97djaNjX32DE4uXZ2h0qdOKNi0oM8U4BFY7B8Rs/LQ++ZcX+JMiCwxMJ9l8r2vYGot88I/afI3qpR0Qwne54sws+gOHsXQS6xZWMByUmARnM/fnr+5h16Mr79XenaCGBpMogGC8+i7A4C1aPAexeGVLT5eluSPLJsMUqlYiOGt2hnI1zoyHbzJm0DYWvHTlenvGgb3icc1X1kgqEDrp8=

 # build.archlinux.org
 build.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBQbDI6+yt8T1Jmm1u30rRo4QrT66L9lewUHuVy1vkwEn1kzcyS1gSy1Ze6DkseeZEqEap3kUg3VtMUA402rsv0=
@@ -90,6 +90,11 @@ lists.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlz
 lists.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+GtJoC+QEUyKA/ZneTBXOBs7W3JBAEb1nLDkjzsqa1
 lists.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdPJQIkN6wDk/140HS1WCIKc0Iz7Oq8c98XaLB0i9ksUxkWB4rxia/WP5RRF+g9yAqZvIg0f5W0d85pfuh+1TOccXk8r6GsH+gRIEkdmwu4Mf7iBpkQxl3n70yjNGxgbwGkVG9vREvJ4v3l/NRZrX2/N3RvcPG9TQwjFFOFYTRZNfUPvsppk572yQ8cjf7oUvJmLOwsKagO5WMUoKFAbO35/Mp2H6VbApYtIdpkFOXnaJUVduHInNa18CmKl28ZSTsigLkYb8pboS6RacJYgA5kK0vQsXCguDrA+SI9k1xW4i9FjUWsLlPuLkk9c7Tj39R95gWhxWwQ99ApNDVvZa+skSbMS7h4/d3NosyM2OO9LfqPiHn2xDsuvmpN0ScCwuocwR09EMrj4MQKzo31ITFHuSyxob0Z4yTQrKvJxdNwveXqaRHFNXUvSWtoRkk2cKB5hjsr0QCROBidYu4WG+/LfolzJQfuRqH7dvg5dvmJLrcozfcCpxspdBTIEKLG/c=

+# london.mirror.pkgbuild.com
+london.mirror.pkgbuild.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOfMEQrTHC7wd+CpqBwSHZSb3tSMxytb5RjRb5jSNjGoYWWq+9qQucIZ6gbEjZFKAVmlEsqysj1B382uYO+m0No=
+london.mirror.pkgbuild.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPih1iMIOXwYTfeAopID4+TONnc1H3YS+Lh0eMBPAwz4
+london.mirror.pkgbuild.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGw/Rxp4vdykOywnxdNLvBu9KFydMuWMjSyCD+GvU1wOyPCQJoUoqxfn3okSDqq2ZIq635vzLvWYNW2qnSWQtry2Zc4xNBZ2f7I+cvUGfnWznrnE1Y2PyfNDouZACp7PleqjlghkRC7dG0HB2FKp5YVAoB6NDyCnT/NVDmMYMe2MDnfvaJkhcDk+mKpaj41LEEnZPGJLC+aup9nQx2xjosGvhXz/YXg8nb1R6I5Dws9U88960TJ5a/IS7MMcR/sV98VlQX12nIHJ1pm3pon/XYNP66eCVcbkmH+t6WKKGFXp3WbmCXPy2TzqsKy65ZtfNs+XxOEjXTXYXyvOoiruvPtTYcmR5yXEDURrZMEMhkXv/lA6CmAlocP0DC9u4GLs7OGLHeBSkGhx4JMlLvusiYkp/QBzLMnsjPG6X+tem4cbaRf70bLIH+uAEkuIzo79iPuJ/JjeZAzqWGVbkBlW4UYiS2ih1bT/0CLa2rcRQTs6++9/LWAEpj03s9m9nFOr8=
+
 # mail.archlinux.org
 mail.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFvJy2P8zOSKt3EocULHN85PVGW1AINk15+GilqUc5a79Zsy0FvWqV16fjxLRN3zIOkBvSKZMvsNadja+quEr9s=
 mail.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTOoGxsf23f6AjIHcQQuvbTOaeIt48Y0PiBj9qlJi1H
@@ -120,6 +125,11 @@ monitoring.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA
 monitoring.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJCU4tNW4WHTQ43+HBbho/sbsU3BCzildSOziaJrVNvE
 monitoring.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVAMU3iku88nPDAKjB++je4RRRkotwNdJEhRcO45Ujslhbq67D6BwcnaliR0ekZuhkQFs13dTNVGeb1VqN3I/wHVaECsd/Gz7Q2M5Ki2CqdUR8ztGaW/eWpY9r8Yk+h/fWdnZdnJPYhk7uZftJI9buqyqpkthvjQy9fZ2wyOb/BAk+7BYUdclcvCEMlW9HQljpgmj7snjTpMYMN0t3U7X3xydcOO6PwNIoSikufuMmbtCqtsUx/Xl1mVU2Xi584L8arjoKn9a4OjMUDorqAlFLeco6bWn5XEdfim6e+W55ZKg333j4KGMBFVW5Dk5mZGKfykalq4WONMe3nu0m4EqYFA/rGG/smliqjxCbWu9N6eDw1gKYOeq5gzx7ppQ9zL3BjL3gl+AbeUckxNCQ+zM66amZC6GmciiMq+hnpqeTUhocaGeriGVda4vO+IlCp4Wwx1zqcCZaHyzt/eIWT9DuXDqHq4gAshluGUR0gFTJ/0qhrYxQA/dW681LE3r9YLE=

+# opensearch.archlinux.org
+opensearch.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPfEiVTq6bLKydE0yse2kiw5Tznz3Kb+Du92HCg61EeFQs/TzOuo4vKZCr3Rt7/6bV2aMZU8HXE0223AukEH4aU=
+opensearch.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKom1E2rOlhSY7b4Cd+L6IpAjZWA2yIX4/ndeENRbn9c
+opensearch.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCTSSgfIvPbV+FUZyBxowFKitorhDMthJSlG5Ww5gvSV6/2k8swCiMgexOrw+qzuOtCGfua48Ulu+DNADPfwARtC2Qrm7K8tTCgnVR2FiAwoUSdoCFVpIRf5pN3EFAlnKbFGKVnEmucYuUc8XY3Wl0iMi/b4jbrsiNC0/HHNcbiRtRLHHJ8aAWhvllpVEIsIZv1XB51io88WkiHa0veUZMg/HsYJBipMAFuOHQGHQ8eQVFxtyBixSzvyR4SYFBMu3kuQXkGM/zR5jD94mu4+gv1I4P2OTuYoIVjZym1H9V/zhGjH3HJCnxgJbfn2M23ttejRMy9+HeaB1UQDzQzwJPV0qBpGb4FraYToznB5S/hv8v6CbKQxBzHbUSncDjvWJ6mOalzYKwnrvjLuM83XJJExcuNiSynxYEuMOcuLRcge1R3SUfoHKYF+YWwNkWmJVgI3Bf6CfnlClR9XZ0W1JZMHA+YpwCldIF284V53uwDGqHnFR2YVnwFbU8liTtdpnE=
+
 # phrik.archlinux.org
 phrik.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHHPJ79o6go5pRmE5eoeHe6kS9gM7Nsx///MA/tpmyqY/8ktgYu6MTnvSYKdgF1O4oSTfsU5mc7grpq7Qsl8+tA=
 phrik.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO45OY6f+b4KyFq13PyxjN/EcU11cgVZ1CrQZN2hGP0h

--- a/docs/wireguard.md
+++ b/docs/wireguard.md
+# WireGuard
+
+Many of our servers communicate through wireguard VPN with each others. If you need to collect logs with `loki` and metrics with `prometheus` for dashboards you need to have a wiregauard IP.
+
+## Setting up
+1. For a new server add a new unused wireguard IP and set the following in `host_vars/<fqdn>/misc`
+    ```
+    wireguard_address: <wg-ip>
+    wireguard_public_key: <wg-pubkey>
+    ```
+
+1. Save the private key in a encypted vault in  `host_vars/<fqdn>/vault_wireguard.yml`
+
+    Tips: 
+    - Pick next available IP for Wireguard from `grep -r wireguard_address host_vars/ | cut -f3 -d: | sort -h`
+
+    - Wireguard key generation docs: https://www.wireguard.com/quickstart/#key-generation 
+1. Execute `wireguard` and `prometheus` roles on `monitoring.archlinux.org.yml` playbook to get data from the server
--- a/group_vars/all/archusers.yml
+++ b/group_vars/all/archusers.yml
@@ -3,7 +3,6 @@ arch_groups:
  - junior-dev
  - tu
  - fellows
-  - multilib
  - support-staff
  - packager
  - junior-packager
@@ -46,7 +45,6 @@ arch_users:
    ssh_key: alex19ep.pub
    groups:
      - tu
-      - multilib
      - packager
      - junior-packager
  allan:
@@ -65,7 +63,6 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
      - packager
      - junior-packager
  artafinde:
@@ -75,7 +72,6 @@ arch_users:
    groups:
      - dev
      - junior-dev
-      - multilib
      - tu
      - packager
      - junior-packager
@@ -87,7 +83,6 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
      - packager
      - junior-packager
  andrew:
@@ -116,7 +111,6 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
      - packager
      - junior-packager
  andyrtr:
@@ -144,7 +138,6 @@ arch_users:
    shell: /bin/zsh
    groups:
      - tu
-      - multilib
      - packager
      - junior-packager
  arodseth:
@@ -153,7 +146,6 @@ arch_users:
    ssh_key: arodseth.pub
    groups:
      - tu
-      - multilib
      - packager
      - junior-packager
  arojas:
@@ -166,7 +158,6 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
  aur-notify:
    name: ""
    groups: []
@@ -205,7 +196,6 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
  braindamage:
    name: "BrainDamage"
    ssh_key: braindamage.pub
@@ -229,6 +219,14 @@ arch_users:
      - packager
      - junior-packager
      - tu
+  codingkoopa:
+    name: "CodingKoopa"
+    email: "koopa@archlinux.org"
+    ssh_key: codingkoopa.pub
+    hosts:
+      - mail.archlinux.org
+    groups:
+      - support-staff
  daurnimator:
    name: "Daurnimator"
    email: "daurnimator@archlinux.org"
@@ -256,7 +254,6 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
  denisse:
    name: "Andrea Denisse Gómez-Martínez"
    ssh_key: denisse.pub
@@ -271,16 +268,6 @@ arch_users:
      - mail.archlinux.org
    groups:
      - support-staff
-  diabonas:
-    name: "Jonas Witschel"
-    email: "diabonas@archlinux.org"
-    ssh_key: diabonas.pub
-    groups:
-      - packager
-      - junior-packager
-      - dev
-      - junior-dev
-      - tu
  donate:
    name: ""
    groups: []
@@ -293,7 +280,6 @@ arch_users:
      - junior-packager
      - dev
      - junior-dev
-      - multilib
      - tu
  edh:
    name: "Gordian Edenhofer"
@@ -321,7 +307,13 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
+  fabiscafe:
+    name: "Fabian Bornschein"
+    email: "fabiscafe@archlinux.org"
+    ssh_key: fabiscafe.pub
+    groups:
+      - packager
+      - junior-packager
  farseerfc:
    name: "Jiachen Yang"
    email: "farseerfc@archlinux.org"
@@ -340,7 +332,6 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
  ffy00:
    name: "Filipe Laíns"
    email: "lains@archlinux.org"
@@ -371,7 +362,6 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
  foxboron:
    name: "Morten Linderud"
    email: "foxboron@archlinux.org"
@@ -411,7 +401,6 @@ arch_users:
      - junior-packager
      - dev
      - junior-dev
-      - multilib
      - tu
  gromit:
    name: "Christian Heusel"
@@ -437,9 +426,13 @@ arch_users:
  heftig:
    name: "Jan Steffens"
    email: "heftig@archlinux.org"
-    ssh_key: heftig.pub
+    ssh_key: heftig_nitrokey.pub
    additional_ssh_keys:
-      - name: heftig_dragon.pub
+      - name: heftig_yubikey.pub
+        hosts:
+          - all
+      # Used to publish nightly packages
+      - name: heftig_build.pub
        hosts:
          - homedir.archlinux.org
    groups:
@@ -448,7 +441,6 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
  idevolder:
    name: "Ike Devolder"
    email: "ike.devolder@archlinux.org"
@@ -467,7 +459,6 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
  jleclanche:
    name: "Jerome Leclanche"
    email: "jleclanche@archlinux.org"
@@ -507,7 +498,6 @@ arch_users:
      - junior-packager
      - dev
      - junior-dev
-      - multilib
      - tu
  kewl:
    name: "Kewl FFT"
@@ -535,11 +525,12 @@ arch_users:
      - support-staff
  lahwaacz:
    name: "Jakub Klinkovský"
+    email: "lahwaacz@archlinux.org"
    ssh_key: lahwaacz.pub
-    hosts:
-      - mail.archlinux.org
    groups:
      - support-staff
+      - packager
+      - junior-packager
  lcarlier:
    name: "Laurent Carlier"
    email: "lordheavym@archlinux.org"
@@ -550,7 +541,6 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
  lfleischer:
    name: "Lukas Fleischer"
    email: "lfleischer@archlinux.org"
@@ -562,7 +552,6 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
  maximbaz:
    name: "Maxim Baz"
    email: "maximbaz@archlinux.org"
@@ -575,6 +564,14 @@ arch_users:
      - packager
      - junior-packager
      - tu
+  moson:
+    name: "Mario Oenning"
+    email: "moson@archlinux.org"
+    ssh_key: moson.pub
+    hosts:
+      - mail.archlinux.org
+    groups:
+      - support-staff
  mtorromeo:
    name: "Massimiliano Torromeo"
    email: "mtorromeo@archlinux.org"
@@ -623,7 +620,6 @@ arch_users:
      - junior-packager
      - dev
      - junior-dev
-      - multilib
      - tu
  pitastrudl:
    name: "Arun Bahl"
@@ -640,16 +636,6 @@ arch_users:
      - packager
      - junior-packager
      - tu
-  remy:
-    name: "Rémy Oudompheng"
-    email: "remy@archlinux.org"
-    ssh_key: remy.pub
-    groups:
-      - packager
-      - junior-packager
-      - dev
-      - junior-dev
-      - tu
  sangy:
    name: "Santiago Torres-Arias"
    email: "santiago@archlinux.org"
@@ -676,7 +662,6 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
  seblu:
    name: "Sébastien Luttringer"
    email: "seblu@archlinux.org"
@@ -688,7 +673,6 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
  serebit:
    name: "Campbell Jones"
    email: "serebit@archlinux.org"
@@ -697,7 +681,6 @@ arch_users:
      - packager
      - junior-packager
      - tu
-      - multilib
  shibumi:
    name: "Christian Rebischke"
    email: "chris.rebischke@archlinux.org"
@@ -722,7 +705,6 @@ arch_users:
      - packager
      - junior-packager
      - tu
-      - multilib
  raster:
    name: "Carsten Haitzler"
    email: "raster@archlinux.org"
@@ -747,7 +729,6 @@ arch_users:
      - packager
      - junior-packager
      - tu
-      - multilib
  segaja:
    name: "Andreas Schleifer"
    email: "segaja@archlinux.org"
@@ -766,7 +747,12 @@ arch_users:
      - dev
      - junior-dev
      - tu
-      - multilib
+  tcanabrava:
+    name: "Tomaz Canabrava"
+    email: "tcanabrava@archlinux.org"
+    ssh_key: tcanabrava.pub
+    groups:
+      - junior-packager
  torxed:
    name: "Anton Hvornum"
    email: "torxed@archlinux.org"
@@ -792,8 +778,14 @@ arch_users:
      - junior-packager
      - dev
      - junior-dev
-      - multilib
      - tu
+  wahrwolf:
+    name: "Vincent Dahmen"
+    ssh_key: wahrwolf.pub
+    hosts:
+      - mail.archlinux.org
+    groups:
+      - support-staff
  wild:
    name: "Dan Printzell"
    email: "wild@archlinux.org"
@@ -817,11 +809,9 @@ arch_users:
    groups:
      - packager
      - junior-packager
-      - multilib
      - tu

 # utility accounts to protect from the "disable ssh keys of disabled users" task
 utility_users:
  gemini.archlinux.org:
-    - svn-packages
-    - svn-community
+    - git-packages
--- a/group_vars/all/dyn_dns.yml
+++ b/group_vars/all/dyn_dns.yml
+dyn_dns_server: "{{ hostvars['redirect.archlinux.org']['ipv4_address'] }}"
+dyn_dns_zones:
+  _acme-challenge.geo.mirror.pkgbuild.com: &acme_challenge
+    key: certbot
+    allowed_ipv4: "{{ groups['geo_mirrors'] | map('extract', hostvars, ['ipv4_address']) }}"
+    allowed_ipv6: "{{ groups['geo_mirrors'] | map('extract', hostvars, ['ipv6_address']) }}"
+    valid_qtypes: [TXT]
+  _acme-challenge.riscv.mirror.pkgbuild.com: *acme_challenge
+  sandbox.archlinux.page:
+    key: sandbox
+    allowed_ipv4: "{{ groups['gitlab_runners'] | map('extract', hostvars, ['ipv4_address']) }}"
+    allowed_ipv6: "{{ groups['gitlab_runners'] | map('extract', hostvars, ['ipv6_address']) }}"
+    valid_qtypes: [A, AAAA]
+    subdomains: only
--- a/group_vars/all/root_access.yml
+++ b/group_vars/all/root_access.yml
@@ -3,45 +3,47 @@ sudo_users:
  - root
  - foutrelis
  - freswa
-  - grazzolini
  - heftig
  - jelle
  - svenstaro
  - anthraxx
  - klausenbusk
  - artafinde
+  - gromit

 # deploy tag 'root_ssh' when this changes
 root_ssh_keys:
  - key: foutrelis.pub
  - key: freswa.pub
-  - key: grazzolini.pub
-  - key: heftig.pub
+  - key: heftig_nitrokey.pub
  - key: jelle.pub
  - key: svenstaro.pub
  - key: anthraxx.pub
  - key: klausenbusk.pub
  - key: artafinde.pub
+  - key: gromit.pub

-# - run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this
-#   changes; before doing so, make sure to 'gpg --lsign-key' all listed keys
-# - before committing the re-encrypted password file, test if both vaults are
-#   working using `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
+# run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this
+# changes; before doing so, make sure to 'gpg --lsign-key' all keys from both
+# sets (or if you use TOFU, `gpg --tofu-policy good`) before committing the
+# re-encrypted password file, then test that both vaults are working using
+# `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
 # NOTE: adding a key to this list gives access to both default and super vaults
 vault_super_pgpkeys: &vault_super_pgpkeys
  - 86CFFCA918CF3AF47147588051E8B148A9999C34  # foutrelis
  - 05C7775A9E8B977407FE08E69D4C5AA15426DA0A  # freswa
-  - ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB  # grazzolini
-  - A2FF3A36AAA56654109064AB19802F8B0D70FC30  # heftig
+  - 83BC8889351B5DEBBB68416EB8AC08600F108CDF  # heftig
  - E499C79F53C96A54E572FEE1C06086337C50773E  # jelle
  - 8FC15A064950A99DD1BD14DD39E4B877E62EB915  # svenstaro
  - E240B57E2C4630BA768E2F26FC1B547C8D8172C8  # anthraxx
  - DB650286BD9EAE39890D3FE6FE3DC1668CB24956  # klausenbusk
  - B4B759625D4633430B74877059E43E106B247368  # artafinde
+  - F00B96D15228013FFC9C9D0393B11DAA4C197E3D  # gromit

-# - run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes
-# - before running it, make sure to 'gpg --lsign-key' all keys listed below
-# - before committing the re-encrypted password file, test that the vault
-#   is working by running `ansible-vault view misc/vaults/vault_hcloud.yml`
+# run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes;
+# before doing so, make sure to 'gpg --lsign-key' all keys below (or if you use
+# TOFU, `gpg --tofu-policy good`) before committing the re-encrypted password
+# file, then test that the vault is working by running `ansible-vault view
+# misc/vaults/vault_hcloud.yml`
 vault_default_pgpkeys:
  - *vault_super_pgpkeys
--- a/group_vars/all/vault_bugbuddy.yml
+++ b/group_vars/all/vault_bugbuddy.yml
+$ANSIBLE_VAULT;1.1;AES256
+39373434666461363763613035393939643631303536303065346633626338303531353538376564
+3433616133616461383836313130313533316536616436660a366333636663326430376661336637
+35356663323361346238383339323433623939303361333135646437343562366466653464353833
+3162616161373030360a363332343237306134636263346237363361343862653738306237386261
+32366461393061393562373762343432313161386166323934383135316532633734616266623539
+62313138636162363861303333616439616164626462656234653334353631653430656261323439
+66303336656462616363653364353332303562663663336539396534326436646136373539646339
+62616534303337643064316162663731393339303436653066653436396566633966326539376435
+61363737383231323137663033656437393761393135373238613961663439346631353437646661
+30396262636134326463393030666538613535323333633830366361613037633862303030386664
+653665306630313164303537323436356231
--- a/group_vars/all/vault_dyn_dns_keys.yml
+++ b/group_vars/all/vault_dyn_dns_keys.yml
+$ANSIBLE_VAULT;1.1;AES256
+62393237353533363738376335336564623464336332393733306465333339376130613338356537
+6166666538303939313238323238616433653036376662360a323663613934636539333365303166
+33343266613234363965363233666165383333343862326436313935636631326266363462613033
+3937393135656534370a663035633362643931653864336336396535373038396165633934366433
+31656663396538376337373762386162386665353639336235363233643139303763333861376339
+62306130363039376431396234333030616235306530343336326237656638636435363038663931
+39356535643265616337306530393962373537336335333764363565313939373565326561613066
+36633931656662393538353836353365386634663736356131323435333265653832656162306230
+64326535353532373137656535386531333536353531643863646135386664333030363564376463
+61386537306235356666353761383237336133376665393365663636386238373534623833306430
+37323336623537613034643763363439643063633433323431623932646465363230316533356337
+34623964653036383766316336373462363562333963663939333431643665643737643164396565
+38396332356630366665666239656562313430363432366639373235343430653236356438643131
+65623438313963356630333939636663393539656463376339326631636263313564636432343635
+39656466323965626264623332393630333035396638653039343536373337643165313564333363
+36626239303836383932336537313061663961636137396162303838356661386636303262653633
+33336665306634363866386237623733643663313136373037376631363364343161373731626637
+30346433666230663564643731616566663339393166343061333033386462366663383839653631
+363865646464333236663262323265376363
--- a/group_vars/all/vault_flyspray.yml
+++ b/group_vars/all/vault_flyspray.yml
-$ANSIBLE_VAULT;1.1;AES256
-39333765333461666666366166316161363238636565313031663063326466353133616239373864
-3661663534313132643430623835663266373534653533360a333866313730333764646431313364
-36306437633730623032633838333864626432353232383961356533633035383339373638333264
-3961343462653739610a363532306537313534343735386166633463333437613863366663303666
-34353762323732356464383031393536636534346133623732633438633763313839656436363064
-63333330363139383365636234353833316539646234373738343465656566353837373763636365
-36393066353233353765623862363165363565323937366639633964303665346664646633643932
-30663665646464383835333532656437633934333864366263326261653162383263646234303666
-37373232313932356361653332393065646236333736623730323866393666663235
--- a/group_vars/geo_mirrors/vault_certbot.yml
+++ b/group_vars/geo_mirrors/vault_certbot.yml
-../../host_vars/redirect.archlinux.org/vault_certbot.yml
\ No newline at end of file
--- a/host_vars/aur.archlinux.org/misc
+++ b/host_vars/aur.archlinux.org/misc
 filesystem: btrfs
+fail2ban_jails:
+  sshd: true
+  postfix: false
+  dovecot: false
+  nginx_limit_req: true
 memcached_socket: "/run/memcached/aurweb.sock"
-sshd_enable_includes: true
 wireguard_address: 10.0.0.2
 wireguard_public_key: TPLeGQ7qU6ZNtcgDbEV0SSYScvK+XS5igcPdGSXo6UA=
--- a/host_vars/bugbuddy.archlinux.org/misc
+++ b/host_vars/bugbuddy.archlinux.org/misc
+filesystem: btrfs
+wireguard_address: 10.0.0.44
+wireguard_public_key: vtu2TM79djeQQA0qqPVuZHxSHz8hdHQ1P15ONF6zSx4=
--- a/host_vars/bugbuddy.archlinux.org/vault_wireguard.yml
+++ b/host_vars/bugbuddy.archlinux.org/vault_wireguard.yml
+$ANSIBLE_VAULT;1.1;AES256
+36623330313366306639313763636132616435633030616363383733386663373966396466396532
+6239386539646333383436653435613731323666346365310a363663353436323562353930336662
+31303162656166333165303966346137363266393763383463633636623330373966376537623433
+3432353931333031610a663365653431356536343861363964323861366130636161633461323165
+65633966386166663064393830333061633466313033356538643466323138346531313838663133
+31356665323935316165633836636436316137356565323930393766623661393334306139343061
+37646266373236643332333736326264333866396137623237383361333362333832326161636461
+31616262616538643233
No results found