pubkeys/heftig.pub → pubkeys/heftig_yubikey.pub

-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGNbRKSVPySqXMjiyxYXhhusHw7a1pokxZ2paLiEQ7Ex heftig-ed25519
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGNbRKSVPySqXMjiyxYXhhusHw7a1pokxZ2paLiEQ7Ex cardno:13_062_363

pubkeys/moson.pub

+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsKcvBlYwEmJN5Ea04p0p4Ut6iXjXjPwCmTELG7837l
\ No newline at end of file

pubkeys/polyzen.pub

-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILjH253/8z/KxzdQn94+UJyrBibQDgWqdGCi7dvqfToB
\ No newline at end of file
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILjH253/8z/KxzdQn94+UJyrBibQDgWqdGCi7dvqfToB
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBVHGjgJL7+Ks/eKwxwq8YOjDUnBP2zK4q9Hth96uERF

pubkeys/remy.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAwEAsevEMnFh6N4rDeld2paUoW78jwuamxyDwHhElN2LkA+JYMZQMLRPpjxjCImuY00qrYL0iRIUEuS5NBNyBbzpY2Ss8H6lTqqhrb6BT9jIXv5418tdiwxSRGbtF09CrsXrC1UCPfQrXHxkaKdTiLnP68z+2tyyH1nko8aWkxxLvyJA6lrCxH0y/4j1dQTPiKE5bto2Gm4Gkv1sWGat1BiKHCUuURUOOFRxGrkGJyUMywSTMS+3839uSMtMGByi+yqhYMrqkOKwpwCIgCqjC9Ck61OCQhKDqEtZIbHU7KQSJ5Lbi+W0M4YlUWmNuZXvx0otyZSA7iVLWeIqVVeJo3PPamiilcJRbYrJ5WGpz4f+83sN6gi63xHfCUXbLA6snxD3EjAXBaaf3ZPAknUETrL/eaHisoUpVCvWI87Nz9qBDhltjT7+AmuoEFj9u++d4cTZLa8oV/2MLNn86/6zk91hP6zi29QcRcah90chJLCF7dEs/+/Go8JsZQYGs2CbOBMNKcM5rf1QjChgckGCeNZgR7LPfIJNGY+yhVcZYBGPQ1Vq6Wh8e9agTSXgxkmG4mgUixI4+Wfi4JHc20qXzk2klD8ZZZq8DT6dZopjsKpklkcYqYjApVQxOmuIs5Odui7pAUn1LlX/YitvDJzkIGBJrd46GlrDPESSUVk+xIQRPByBRfvRw83Kk2IjIdEZXFmYKp3SseG+DBLER9ry+tCiyByoBZV3HqzkjI3zlhnLTOEuhlOvrldn7ufsVKYqHarFspdo922LWmpvDH+4PAjWypy+niXy4N0gzJ4J/giFzgKQSAiLQNBGTkDFUvkESIQL0v0ELooPmzrsNt0VlDX9v5rI4Ms4wf2CuwFt8yXH3ynAebJFDHyMU8YBKbFIW7O20CThViVx+xJuQmNq/N1f7JoR0HrmYBhcUpdVilQyCR6ieVu2TKjzEcK7EyIDlB+3aTJUQCYFfLbg/lMfyFwS9ZOnMPcQlpNCOuiGpB2xByBPmgO7Z/e+rm46e71/9/Wz remy@maison
\ No newline at end of file

pubkeys/tcanabrava.pub

+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsYxVUGkLvZXuXCMPC4FtXuqqENy+SRt0BNiGiiWDC/gaKNJq+HRHgKo3NPf9zpdjA/QTt2k/Eu+RMIy/ogb+LRiFwPoXpW17oUuuaO6J1MPikZ7MIn08/pTWcwDLOl5qdgGMPQQVSPIyYUGPtQvvL9/MDkIJSWup1+VPTVCo+aHEwzDd/2ojyjJxq3wLHEKjhhY6OH7G9Qo5NqWbTdjTG0XUuNwvPnKGZcFy+ldOOLTPWDF38J9cUwyC/F1g8VrV+dhNtndI0lOk5Zs+cEhu6X7zU+qN/o2DYMKg78eq8oiCogxXshe4I4iEVvLJGRP+4dzY64JYa0cErkktwE6tHY3qpBJsTMYVwcMPg2gdHu4O5EJiwcC+xntPrUW3h6hZyRYAzeXYZe+EmXaZ8DQtfCajFkpt3AumFJ46Q7YKCqiEiHkWYc+AnuAmLqOdebknRm8JXFPF4A4jzHjjSo2Yq7WEwpacvWHarJowIJJ8TQv8XRPskNacBTzFTJTRzWM7tOrsJ4Fb3TtN2UT3H7FVpkpbstPMy+n8Ed9s15IShz6pzlcwDXOh77bN90yimQUcsLEO/YgKmIp5xe2ol0OCeKtoAes96Ai1HheCUOg3b3+Tn6ka7/y4UOpQeHfwM5iwOT73A8GR4p26IHV31Ezb2Ky4qFmxG/b9xDctga2LfxQ== tcanabrava

pubkeys/torxed.pub

 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClN8KW45UH7Suu88PqGxsWgwYK9Om4vekWAsQ4Y5p1mrD1lRTT3Ob0FKE4XurmmCNFFvnCvaU5yhkycLmDAfYmADgNvxHnLoAsd9xNgzcBhDjMMf8f0TYdr48PnuASQAZZ4XAqTvDnF2gUZ3tcbfmdBmw2h8y9QrbR60lBYFPTLl36nfbvzCHllkShwyuejWOd7R9p2TH51nr7nyJnb/uKxTgauv4prh0JHW1osfEKtG3iWdaqCprH1lRPeyP9CdwNMvka2vSkeU0RRJyZixQpAUI9eJ27On/eHDue7C8hHZ7AGQMzPouiGGNcIHaPmL5JMuS5mZKQ1O/0mPtfZpAYbCRZ7kfsAPGn9I6eMhwYAjSHhIAL0msSW6GC/I/L4+qLIqyByEjJoZxcm3CcMoQ/aLjPH/apY8RidBckFV1vqKhqwkCZBzf1AopgvGIFthctVq2TDOsku97/LGHllc9mpw1LmyuoKbY94SSzzD2aFBEJ6zb+i+COtRSy34HT4cc=
+sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBPP1YIJ1FWJ8FG6UKCZqLAk4kI4uGus4b9BccPUBNmzMrJ5VX6nLzS+9ZY35xEGhE0Vx37sizUzKj9CefQValcYAAAAEc3NoOg==

pubkeys/wahrwolf.pub

+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzOk/fE5KqyFmN1DhRtgMwhGhGd/P5Mu36jSopJniuaRRjlXob1zIdulO31Ofjh3BOQ1R2zuAPxp0ub2cHTqsOLWDGQeD+YYnVrIK7ubFg7dBGqxPGagNsDu5lc18OD9Yn0hBNSohROPKa/ixFfLrBsZQS74BtAp1IgJPHBJ+5nq9jbEKiIdzu26a26z5lhOIb4uUscPiaT6yoLOHV6oT23xHhkoUU6Ek8DlteO44pqOJGeGnB11w4yp0lzYZxrA6Wq6LmjXzuuD+d7RAECFaB7cC4b+uGc9BL44qasla+9hAZfRPG8qfHlz4pp2/avYFOhqD4Z69yjVO9u8gym3N+KX6SPTwSOsT2zNoEUru8y/W8dp3BR94AocLaGEjC2ktOL58xCODGS+sLSFfqMWsvZLPLg5qFTAZ6b+7taiUuA0GB3XdJPwyrHEYfi7Pc6n9ehPe7wCtF4ohue2uiaWsdEMGAHR7ybsVxdl5mzM51yx/qjuFWKdY4d142UC5VXWE= wahrwolf@wolfstation

roles/acme_dns_challenge/templates/dnsupdate-policy.lua.j2

-#jinja2: lstrip_blocks: True
--- Based on https://github.com/PowerDNS/pdns/wiki/Lua-Examples-(Authoritative)#updatepolicy-access-control-for-rfc2136-dynamic-updates
-function updatepolicy(input)
-  valid_rrnames = {
-    {% for domain in geo_domains %}
-    ["_acme-challenge.{{ domain }}."]=true,
-    {% endfor %}
-  }
-
-  -- only allow updates from our servers
-  mynetworks = newNMG()
-  mynetworks:addMasks({
-{% for host in groups['geo_mirrors'] | sort %}
-    '{{ hostvars[host]['ipv4_address'] }}/32',
-    '{{ hostvars[host]['ipv6_address'] }}/128',
-{% endfor %}
-  })
-
-  -- ignore non-authorized networks
-  if not mynetworks:match(input:getRemote())
-  then
-    pdnslog("updatepolicy: network check failed from " .. input:getRemote():toString(), pdns.loglevels.Info)
-    return false
-  end
-
-  -- ignore non-TSIG requests
-  if input:getTsigName():countLabels() == 0
-  then
-    pdnslog("updatepolicy: missing TSIG", pdns.loglevels.Info)
-    return false
-  end
-
-  -- only accept TXT record updates for _acme_challenge
-  if input:getQType() == pdns.TXT and valid_rrnames[input:getQName():toString()]
-  then
-    pdnslog("updatepolicy: query checks successful", pdns.loglevels.Info)
-    return true
-  end
-
-  pdnslog("updatepolicy: query checks failed", pdns.loglevels.Info)
-  return false
-end

roles/archbuild/files/devtools-override_arch-nspawn-.scope.conf

+[Scope]
+CPUWeight=100
+IOWeight=100

roles/archbuild/files/devtools-override_devtools.slice.conf

+[Slice]
+CPUWeight=20
+IOWeight=20
+ManagedOOMMemoryPressure=kill
+ManagedOOMMemoryPressureLimit=60%

roles/archbuild/files/sudoers

@@ -6,5 +6,7 @@ Cmnd_Alias ARCHBUILD = /usr/sbin/makechrootpkg, /usr/sbin/mkarchroot, \
 
 Defaults!ARCHBUILD     env_keep+=SOURCE_DATE_EPOCH
 
-%dev ALL = NOPASSWD: ARCHBUILD
-%tu  ALL = NOPASSWD: ARCHBUILD
+%dev              ALL = NOPASSWD: ARCHBUILD
+%junior-dev       ALL = NOPASSWD: ARCHBUILD
+%packager         ALL = NOPASSWD: ARCHBUILD
+%junior-packager  ALL = NOPASSWD: ARCHBUILD

roles/archbuild/tasks/main.yml

@@ -58,8 +58,21 @@
     - mkpkg@.timer
     - mkpkg@.service
 
-- name: Install user-.slice snippet
-  copy: src=user-.slice.d dest=/etc/systemd/system owner=root group=root mode=0644
+- name: Create drop-in directories for devtools
+  file: path=/etc/systemd/system/{{ item }}.d state=directory owner=root group=root mode=0755
+  with_items:
+    - arch-nspawn-.scope
+    - devtools.slice
+    - user-.slice
+
+- name: Install drop-in snippets for devtools
+  copy: src=devtools-override_{{ item }}.conf dest=/etc/systemd/system/{{ item }}.d/override.conf owner=root group=root mode=0644
+  with_items:
+    - arch-nspawn-.scope
+    - devtools.slice
+    - user-.slice
+  notify:
+    - Daemon reload
 
 - name: Start and enable archbuild mounts
   service: name={{ item }} enabled={{ "yes" if archbuild_fs == 'tmpfs' else "no" }} state={{ "started" if archbuild_fs == 'tmpfs' else "stopped" }}
@@ -109,8 +122,14 @@
     - clean-dests.timer
     - clean-offload-build.timer
 
-- name: Install makepkg.conf
-  template: src=makepkg.conf.j2 dest=/etc/makepkg.conf owner=root group=root mode=0644
+- name: Override makepkg.conf variables
+  lineinfile:
+    path: /etc/makepkg.conf
+    regexp: '^#?{{ item.name | regex_escape }}='
+    line: '{{ item.name }}={{ item.value }}'
+  loop:
+    - { name: MAKEFLAGS, value: '"-j$(nproc)"' }
+    - { name: SRCDEST, value: /var/lib/archbuilddest/srcdest }
 
 - name: Install archbuild sudoers config
   copy: src=sudoers dest=/etc/sudoers.d/archbuild owner=root group=root mode=0440

roles/archbuild/templates/makepkg.conf.j2

-#!/hint/bash
-#
-# /etc/makepkg.conf
-#
-
-#########################################################################
-# SOURCE ACQUISITION
-#########################################################################
-#
-#-- The download utilities that makepkg should use to acquire sources
-#  Format: 'protocol::agent'
-DLAGENTS=('file::/usr/bin/curl -qgC - -o %o %u'
-          'ftp::/usr/bin/curl -qgfC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u'
-          'http::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u'
-          'https::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u'
-          'rsync::/usr/bin/rsync --no-motd -z %u %o'
-          'scp::/usr/bin/scp -C %u %o')
-
-# Other common tools:
-# /usr/bin/snarf
-# /usr/bin/lftpget -c
-# /usr/bin/wget
-
-#-- The package required by makepkg to download VCS sources
-#  Format: 'protocol::package'
-VCSCLIENTS=('bzr::bzr'
-            'fossil::fossil'
-            'git::git'
-            'hg::mercurial'
-            'svn::subversion')
-
-#########################################################################
-# ARCHITECTURE, COMPILE FLAGS
-#########################################################################
-#
-CARCH="x86_64"
-CHOST="x86_64-pc-linux-gnu"
-
-#-- Compiler and Linker Flags
-#CPPFLAGS=""
-CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \
-        -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security \
-        -fstack-clash-protection -fcf-protection"
-CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS"
-LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
-LTOFLAGS="-flto=auto"
-#RUSTFLAGS="-C opt-level=2"
-#-- Make Flags: change this for DistCC/SMP systems
-#MAKEFLAGS="-j2"
-MAKEFLAGS="-j{{ ansible_processor_vcpus + 1 }}"
-#-- Debugging flags
-DEBUG_CFLAGS="-g"
-DEBUG_CXXFLAGS="$DEBUG_CFLAGS"
-#DEBUG_RUSTFLAGS="-C debuginfo=2"
-
-#########################################################################
-# BUILD ENVIRONMENT
-#########################################################################
-#
-# Makepkg defaults: BUILDENV=(!distcc !color !ccache check !sign)
-#  A negated environment option will do the opposite of the comments below.
-#
-#-- distcc:   Use the Distributed C/C++/ObjC compiler
-#-- color:    Colorize output messages
-#-- ccache:   Use ccache to cache compilation
-#-- check:    Run the check() function if present in the PKGBUILD
-#-- sign:     Generate PGP signature file
-#
-BUILDENV=(!distcc color !ccache check !sign)
-#
-#-- If using DistCC, your MAKEFLAGS will also need modification. In addition,
-#-- specify a space-delimited list of hosts running in the DistCC cluster.
-#DISTCC_HOSTS=""
-#
-#-- Specify a directory for package building.
-#BUILDDIR=/tmp/makepkg
-
-#########################################################################
-# GLOBAL PACKAGE OPTIONS
-#   These are default values for the options=() settings
-#########################################################################
-#
-# Makepkg defaults: OPTIONS=(!strip docs libtool staticlibs emptydirs !zipman !purge !debug !lto)
-#  A negated option will do the opposite of the comments below.
-#
-#-- strip:      Strip symbols from binaries/libraries
-#-- docs:       Save doc directories specified by DOC_DIRS
-#-- libtool:    Leave libtool (.la) files in packages
-#-- staticlibs: Leave static library (.a) files in packages
-#-- emptydirs:  Leave empty directories in packages
-#-- zipman:     Compress manual (man and info) pages in MAN_DIRS with gzip
-#-- purge:      Remove files specified by PURGE_TARGETS
-#-- debug:      Add debugging flags as specified in DEBUG_* variables
-#-- lto:        Add compile flags for building with link time optimization
-#
-OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !debug !lto)
-
-#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2
-INTEGRITY_CHECK=(sha256)
-#-- Options to be used when stripping binaries. See `man strip' for details.
-STRIP_BINARIES="--strip-all"
-#-- Options to be used when stripping shared libraries. See `man strip' for details.
-STRIP_SHARED="--strip-unneeded"
-#-- Options to be used when stripping static libraries. See `man strip' for details.
-STRIP_STATIC="--strip-debug"
-#-- Manual (man and info) directories to compress (if zipman is specified)
-MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info})
-#-- Doc directories to remove (if !docs is specified)
-DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc})
-#-- Files to be removed from all packages (if purge is specified)
-PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod)
-#-- Directory to store source code in for debug packages
-DBGSRCDIR="/usr/src/debug"
-
-#########################################################################
-# PACKAGE OUTPUT
-#########################################################################
-#
-# Default: put built package and cached source in build directory
-#
-#-- Destination: specify a fixed directory where all packages will be placed
-#PKGDEST=/home/packages
-#-- Source cache: specify a fixed directory where source files will be cached
-#SRCDEST=/home/sources
-SRCDEST="/var/lib/archbuilddest/srcdest"
-#-- Source packages: specify a fixed directory where all src packages will be placed
-#SRCPKGDEST=/home/srcpackages
-#-- Log files: specify a fixed directory where all log files will be placed
-#LOGDEST=/home/makepkglogs
-#-- Packager: name/email of the person or organization building packages
-#PACKAGER="John Doe <john@doe.com>"
-#-- Specify a key to use for package signing
-#GPGKEY=""
-
-#########################################################################
-# COMPRESSION DEFAULTS
-#########################################################################
-#
-COMPRESSGZ=(gzip -c -f -n)
-COMPRESSBZ2=(bzip2 -c -f)
-COMPRESSXZ=(xz -c -z -)
-COMPRESSZST=(zstd -c -z -q -)
-COMPRESSLRZ=(lrzip -q)
-COMPRESSLZO=(lzop -q)
-COMPRESSZ=(compress -c -f)
-COMPRESSLZ4=(lz4 -q)
-COMPRESSLZ=(lzip -c -f)
-
-#########################################################################
-# EXTENSION DEFAULTS
-#########################################################################
-#
-PKGEXT='.pkg.tar.zst'
-SRCEXT='.src.tar.gz'
-
-#########################################################################
-# OTHER
-#########################################################################
-#
-#-- Command used to run pacman as root, instead of trying sudo and su
-#PACMAN_AUTH=()

roles/archweb/defaults/main.yml

@@ -12,7 +12,7 @@ archweb_domains_templates:
 archweb_allowed_hosts: ["{{ archweb_domain }}", 'ipxe.archlinux.org']
 archweb_nginx_conf: '/etc/nginx/nginx.d/archweb.conf'
 archweb_repository: 'https://github.com/archlinux/archweb.git'
-archweb_version: '262d7f194555f0bf6b06e611dc8f6e5fbe135302'
+archweb_version: 'release_2024-03-05'
 archweb_pgp_key: ['E499C79F53C96A54E572FEE1C06086337C50773E']
 archweb_site: true
 archweb_mirrorcheck: false

roles/archweb/templates/nginx.d.conf.j2

@@ -189,6 +189,15 @@ server {
         limit_req zone=rsslimit burst=10 nodelay;
     }
 
+    # Temporary redirects
+    location /people/trusted-user-fellows/ {
+        return 301 /people/package-maintainer-fellows/;
+    }
+
+    location /people/trusted-users/ {
+        return 301 /people/package-maintainers/;
+    }
+
     location / {
         access_log   /var/log/nginx/{{ archweb_domain }}/access.log main;
         access_log   /var/log/nginx/{{ archweb_domain }}/access.log.json json_main;

roles/archwiki/defaults/main.yml

@@ -2,8 +2,8 @@ archwiki_dir: '/srv/http/archwiki'
 archwiki_domain: 'wiki.archlinux.org'
 archwiki_nginx_conf: '/etc/nginx/nginx.d/archwiki.conf'
 archwiki_user: 'archwiki'
-archwiki_repository: 'https://github.com/archlinux/archwiki.git'
-archwiki_version: '1.39.3-1'
+archwiki_repository: 'https://gitlab.archlinux.org/archlinux/archwiki.git'
+archwiki_version: '1.41.0-3'
 archwiki_question_answer_file: '/srv/http/archwiki/registration-question-answer.txt'
 
 archwiki_socket: '/run/php-fpm/archwiki.socket'

roles/archwiki/files/robots.txt

 User-agent: *
 Disallow: /index.php?
-Disallow: /index.php?diff=
-Disallow: /index.php?oldid=
-Disallow: /index.php?curid=
-Disallow: /index.php?title=Help
-Disallow: /index.php?title=Image
-Disallow: /index.php?title=MediaWiki
-Disallow: /index.php?title=Special:
-Disallow: /index.php?title=Template
 Disallow: /skins/
+Disallow: /title/File:
+Disallow: /title/Image:
+Disallow: /title/MediaWiki:
+Disallow: /title/Special:
+Disallow: /title/Template:

roles/archwiki/handlers/main.yml

@@ -2,7 +2,7 @@
   service: name=php-fpm@{{ archwiki_user }} state=restarted
 
 - name: Run wiki updatescript  # noqa no-changed-when
-  command: php {{ archwiki_dir }}/public/maintenance/update.php --quick
+  command: php {{ archwiki_dir }}/public/maintenance/run.php update --quick
   become: true
   become_user: "{{ archwiki_user }}"
 

roles/archwiki/tasks/main.yml

@@ -107,6 +107,7 @@
     - archwiki-prune-cache.service
     - archwiki-prune-cache.timer
     - archwiki-question-updater.service
+    - archwiki-question-updater.timer
 
 - name: Start and enable archwiki timers and services
   systemd:
@@ -118,6 +119,7 @@
     - archwiki-runjobs.timer
     - archwiki-prune-cache.timer
     - archwiki-runjobs-wait.service
+    - archwiki-question-updater.timer
 
 - name: Create question answer file
   systemd:
@@ -127,9 +129,3 @@
 
 - name: Ensure question answer file exists and set permissions
   file: state=file path="{{ archwiki_question_answer_file }}" owner=root group=root mode=0644
-
-- name: Create pacman.d hooks dir
-  file: state=directory owner=root group=root mode=0755 path=/etc/pacman.d/hooks
-
-- name: Install archwiki question updater hook
-  template: src=archwiki-question-updater.hook.j2 dest=/etc/pacman.d/hooks/archwiki-question-updater.hook owner=root group=root mode=0644