roles/archwiki/templates/LocalSettings.php.j2

@@ -112,7 +112,7 @@ $wgEnableEmail      = true;
 $wgEnableUserEmail  = true; # UPO
 
 $wgEmergencyContact = "webmaster@archlinux.org";
-$wgPasswordSender   = "webmaster@archlinux.org";
+$wgPasswordSender   = "noreply+wiki@archlinux.org";
 
 $wgEnotifUserTalk      = true; # UPO
 $wgEnotifWatchlist     = true; # UPO
@@ -185,6 +185,10 @@ $wgUseInstantCommons  = false;
 ## this, if it's not already uncommented:
 #$wgHashedUploadDirectory = false;
 
+## Enable native SVG rendering
+$wgFileExtensions[] = 'svg';
+$wgSVGNativeRendering = true;
+
 
 ##
 ## Skin settings
@@ -205,13 +209,22 @@ $wgArchNavBar = array(
 			'Packages' => 'https://archlinux.org/packages/',
 			'Forums' => 'https://bbs.archlinux.org/',
 			'Wiki' => 'https://wiki.archlinux.org/',
-			'Bugs' => 'https://bugs.archlinux.org/',
+			'GitLab' => 'https://gitlab.archlinux.org/archlinux',
 			'Security' => 'https://security.archlinux.org/',
 			'AUR' => 'https://aur.archlinux.org/',
 			'Download' => 'https://archlinux.org/download/'
 		);
 $wgArchNavBarSelectedDefault = 'Wiki';
-$wgFooterIcons = ['copyright' => ['copyright' => '']];
+$wgFooterIcons = [
+	"copyright" => [
+		"copyright" => [],
+	],
+	"poweredby" => [
+		"mediawiki" => [
+			"src" => null,
+		],
+	],
+];
 
 ##
 ## User roles
@@ -224,7 +237,7 @@ $wgFooterIcons = ['copyright' => ['copyright' => '']];
 $wgGroupPermissions['maintainer'] = array();
 $wgGroupPermissions['translator'] = array();
 $wgGroupPermissions['archdev'] = array();
-$wgGroupPermissions['archtu'] = array();
+$wgGroupPermissions['archpackager'] = array();
 $wgGroupPermissions['archstaff'] = array();
 $wgGroupPermissions['administrator_fellow'] = array();
 
@@ -359,6 +372,7 @@ $wgGroupPermissions['sysop']['abusefilter-log-private'] = true;
 $wgGroupPermissions['sysop']['abusefilter-hide-log'] = true;
 $wgGroupPermissions['sysop']['abusefilter-hidden-log'] = true;
 $wgGroupPermissions['sysop']['abusefilter-privatedetails-log'] = true;
+$wgGroupPermissions['sysop']['renameuser'] = true;
 
 # filter groups
 $wgAbuseFilterValidGroups = array( 'default', 'proofed' );
@@ -384,6 +398,8 @@ wfLoadExtension( 'Interwiki' );
 $wgGroupPermissions['sysop']['interwiki'] = true;
 
 # TitleKey extension
+# Suppress deprecation warning, see https://phabricator.wikimedia.org/T353985
+$wgDeprecationReleaseLimit = "1.0";
 wfLoadExtension( 'TitleKey' );
 
 # BounceHandler extension
@@ -405,7 +421,7 @@ $wgCaptchaTriggers['addurl'] = false;
 $wgCaptchaTriggers['createaccount'] = true;
 $wgCaptchaTriggers['badlogin'] = true;
 $wgCaptchaQuestions = [
-    'What is the output of: <code>pacman -V|base32|head -1</code>' => trim(file_get_contents("{{ archwiki_question_answer_file }}"))
+    'What is the output of: <code>LC_ALL=C pacman -V|sed -r "s#[0-9]+#$(date -u +%m)#g"|base32|head -1</code>' => trim(file_get_contents("{{ archwiki_question_answer_file }}"))
 ];
 
 # Restrict expensive actions to logged in users
@@ -417,10 +433,6 @@ $wgCaptchaQuestions = [
 #$wgSpecialPageLockdown['Diff'] = [ 'user' ];
 #$wgActionLockdown['history'] = ['user'];
 
-# Renameuser extension
-wfLoadExtension( 'Renameuser' );
-$wgGroupPermissions['sysop']['renameuser'] = true;
-
 # UserMerge extension
 wfLoadExtension( 'UserMerge' );
 $wgGroupPermissions['sysop']['usermerge'] = true;
@@ -440,6 +452,24 @@ wfLoadExtension( 'CodeEditor' );
 # DarkMode extension
 wfLoadExtension( 'DarkMode' );
 
+# Thanks extension
+wfLoadExtension( 'Echo' );
+wfLoadExtension( 'Thanks' );
+
+# Discussion Tools
+$wgVisualEditorAvailableNamespaces = [
+    NS_MAIN => false,
+    "Talk" => false,
+    "User" => false,
+    "File" => false,
+    "Category" => false,
+    NS_DEVELOPERWIKI => false,
+];
+
+wfLoadExtension( 'VisualEditor' );
+wfLoadExtension( 'Linter' );
+wfLoadExtension( 'DiscussionTools' );
+
 ##
 ## Temporary settings for maintenance
 ##

roles/archwiki/templates/archwiki-prune-cache.service.j2

@@ -5,7 +5,7 @@ Description=Archwiki Prune Cache Service
 Type=oneshot
 User={{ archwiki_user }}
 WorkingDirectory={{ archwiki_dir }}
-ExecStart=/usr/bin/php {{ archwiki_dir }}/public/maintenance/pruneFileCache.php -q --agedays 1
+ExecStart=/usr/bin/php {{ archwiki_dir }}/public/maintenance/run.php pruneFileCache -q --agedays 1
 
 NoNewPrivileges=yes
 PrivateTmp=yes

roles/archwiki/templates/archwiki-question-updater.hook.j2

-[Trigger]
-Operation = Install
-Operation = Upgrade
-Type = Package
-Target = pacman
-
-[Action]
-When = PostTransaction
-Exec = /usr/bin/systemctl start archwiki-question-updater.service

roles/archwiki/templates/archwiki-question-updater.service.j2

@@ -3,4 +3,5 @@ Description=Update Archwiki pacman question answer
 
 [Service]
 Type=oneshot
-ExecStart=/bin/bash -c 'pacman -V|base32|head -1 > "{{archwiki_question_answer_file}}"'
+# %% is needed here to escape systemd's own templating
+ExecStart=/bin/bash -c 'LC_ALL=C pacman -V|sed -r "s#[0-9]+#$(date -u +%%m)#g"|base32|head -1 > "{{archwiki_question_answer_file}}"'

roles/prometheus_exporters/templates/prometheus-aur-textcollector.timer.j2 → roles/archwiki/templates/archwiki-question-updater.timer.j2

 [Unit]
-Description=Prometheus Arch Exporter TextCollector Timer
+Description=Monthly Timer to update the Archwiki pacman question
 
 [Timer]
-OnUnitActiveSec=5m
-OnBootSec=5min
+OnCalendar=*-*-1 00:00:00
+Persistent=true
 
 [Install]
 WantedBy=timers.target

roles/archwiki/templates/archwiki-runjobs-wait.service.j2

@@ -5,7 +5,7 @@ After=mysqld.service
 [Service]
 User={{ archwiki_user }}
 WorkingDirectory={{ archwiki_dir }}
-ExecStart=/usr/bin/php {{ archwiki_dir }}/public/maintenance/runJobs.php -q --wait
+ExecStart=/usr/bin/php {{ archwiki_dir }}/public/maintenance/run.php runJobs -q --wait
 Restart=on-failure
 
 NoNewPrivileges=true

roles/archwiki/templates/archwiki-runjobs.service.j2

@@ -5,7 +5,7 @@ Description=Archwiki runJobs Service
 Type=oneshot
 User={{ archwiki_user }}
 WorkingDirectory={{ archwiki_dir }}
-ExecStart=/usr/bin/php {{ archwiki_dir }}/public/maintenance/runJobs.php -q
+ExecStart=/usr/bin/php {{ archwiki_dir }}/public/maintenance/run.php runJobs -q
 
 NoNewPrivileges=true
 ProtectHome=true

roles/archwiki/templates/nginx.d.conf.j2

@@ -118,6 +118,12 @@ server {
         add_header Pragma public;
         add_header Cache-Control "public, must-revalidate, proxy-revalidate";
     }
+
+    location /images/ {
+        # Add the nosniff header to the images folder (required for mw 1.40+)
+        add_header X-Content-Type-Options nosniff;
+    }
+
     location /images/deleted {
         # Deny access to deleted images folder
         deny all;

roles/aurweb/defaults/main.yml

@@ -8,8 +8,8 @@ aurweb_conf_dir: '/etc/aurweb'
 aurweb_git_dir: "{{ aurweb_dir }}/aur.git"
 aurweb_git_hook: '/usr/local/bin/aurweb-git-update'
 aurweb_nginx_conf: '/etc/nginx/nginx.d/aurweb.conf'
-aurweb_version: 'v6.2.4'
-aurweb_pgp_keys: ['B4B759625D4633430B74877059E43E106B247368', 'DB650286BD9EAE39890D3FE6FE3DC1668CB24956']
+aurweb_version: 'v6.2.9'
+aurweb_pgp_keys: ['B4B759625D4633430B74877059E43E106B247368', 'DB650286BD9EAE39890D3FE6FE3DC1668CB24956', 'D5AD89388A7C6C9C22E790994A4760AB4EE15296']
 
 aurweb_db: 'aur'
 aurweb_db_host: 'localhost'
@@ -26,3 +26,28 @@ aurweb_window_length: '86400'
 aurweb_memcached_memory: 2048
 
 aurweb_workers: 4
+aurweb_environment_type: 'prod'
+
+# aurweb timers and services are installed and restarted by default,
+# unless .install and .restart are explicitly set to "false"
+aurweb_timers:
+  - { name: "aurweb-git.timer" }
+  - { name: "aurweb-aurblup.timer" }
+  - { name: "aurweb-mkpkglists.timer" }
+  - { name: "aurweb-pkgmaint.timer" }
+  - { name: "aurweb-popupdate.timer" }
+  - { name: "aurweb-votereminder.timer" }
+  - { name: "aurweb-usermaint.timer" }
+  - { name: "aurweb-github-mirror.timer", install: "{{ aurweb_environment_type == 'prod' }}", restart: "{{ aurweb_environment_type == 'prod' }}" }
+
+aurweb_services:
+  - { name: "aurweb-git.service", restart: false }
+  - { name: "aurweb-aurblup.service", restart: false }
+  - { name: "aurweb-mkpkglists.service", restart: false }
+  - { name: "aurweb-pkgmaint.service", restart: false }
+  - { name: "aurweb-popupdate.service", restart: false }
+  - { name: "aurweb-votereminder.service", restart: false }
+  - { name: "aurweb-usermaint.service", restart: false }
+  - { name: "aurweb-github-mirror.service", install: "{{ aurweb_environment_type == 'prod' }}", restart: false }
+  - { name: "aurweb.service" }
+  - { name: "goaurrpc.service", install: false }

roles/aurweb/tasks/main.yml

@@ -30,22 +30,22 @@
   user: name="{{ aurweb_user }}" shell=/bin/bash createhome=yes
   register: aur_user
 
-- name: Create .ssh for the aur user
-  file: path={{ aur_user.home }}/.ssh state=directory owner={{ aur_user.name }} group={{ aur_user.name }} mode=0700
-
-- name: Install SSH key for mirroring to GitHub
-  copy: src=id_ed25519.vault dest={{ aur_user.home }}/.ssh/id_ed25519 owner={{ aur_user.name }} group={{ aur_user.name }} mode=0600
-
-- name: Fetch host keys for github.com
-  command: ssh-keyscan github.com
-  args:
-    creates: "{{ aur_user.home }}/.ssh/known_hosts"
-  register: github_host_keys
-
-- name: Write github.com host keys to the aur user's known_hosts
-  lineinfile: name={{ aur_user.home }}/.ssh/known_hosts create=yes line={{ item }} owner={{ aur_user.name }} group={{ aur_user.name }} mode=0644
-  loop: "{{ github_host_keys.stdout_lines }}"
-  when: github_host_keys.changed
+- name: Github SSH configuration tasks
+  when: aurweb_environment_type == "prod"
+  block:
+    - name: Install SSH key for mirroring to GitHub
+      copy: src=id_ed25519.vault dest={{ aur_user.home }}/.ssh/id_ed25519 owner={{ aur_user.name }} group={{ aur_user.name }} mode=0600
+
+    - name: Fetch host keys for github.com
+      command: ssh-keyscan github.com
+      args:
+        creates: "{{ aur_user.home }}/.ssh/known_hosts"
+      register: github_host_keys
+
+    - name: Write github.com host keys to the aur user's known_hosts
+      lineinfile: name={{ aur_user.home }}/.ssh/known_hosts create=yes line={{ item }} owner={{ aur_user.name }} group={{ aur_user.name }} mode=0644
+      loop: "{{ github_host_keys.stdout_lines }}"
+      when: github_host_keys.changed
 
 - name: Create directory
   file: path={{ aurweb_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775
@@ -71,44 +71,18 @@
   check_mode: true
 
 - name: Install AUR systemd service and timers
-  template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
+  template: src={{ item.name }}.j2 dest=/etc/systemd/system/{{ item.name }} owner=root group=root mode=0644
   with_items:
-    - aurweb-git.service
-    - aurweb-git.timer
-    - aurweb-git-archive.service
-    - aurweb-git-archive.timer
-    - aurweb-aurblup.service
-    - aurweb-aurblup.timer
-    - aurweb-mkpkglists.service
-    - aurweb-mkpkglists.timer
-    - aurweb-pkgmaint.service
-    - aurweb-pkgmaint.timer
-    - aurweb-popupdate.service
-    - aurweb-popupdate.timer
-    - aurweb-tuvotereminder.service
-    - aurweb-tuvotereminder.timer
-    - aurweb-usermaint.service
-    - aurweb-usermaint.timer
-    - aurweb.service
-    - aurweb-github-mirror.service
-    - aurweb-github-mirror.timer
-  when: release.changed
+    - "{{ aurweb_services }}"
+    - "{{ aurweb_timers }}"
+  when: release.changed and (item.install is not defined or item.install)
 
 - name: Stop AUR systemd services and timers
-  service: name={{ item }} enabled=yes state=stopped
+  service: name={{ item.name }} enabled=yes state=stopped
   with_items:
-    - aurweb-git.timer
-    - aurweb-git-archive.timer
-    - aurweb-aurblup.timer
-    - aurweb-mkpkglists.timer
-    - aurweb-pkgmaint.timer
-    - aurweb-popupdate.timer
-    - aurweb-tuvotereminder.timer
-    - aurweb-usermaint.timer
-    - aurweb.service
-    - goaurrpc.service
-    - aurweb-github-mirror.timer
-  when: release.changed
+    - "{{ aurweb_services }}"
+    - "{{ aurweb_timers }}"
+  when: release.changed and (item.restart is not defined or item.restart)
 
 - name: Clone aurweb repo
   git: >
@@ -153,6 +127,17 @@
               priv="{{ aurweb_db }}.*:ALL"
   no_log: true
 
+- name: Install python modules # noqa no-changed-when
+  command: poetry install
+  args:
+    chdir: "{{ aurweb_dir }}"
+  environment:
+    POETRY_VIRTUALENVS_IN_PROJECT: "true"
+    # https://github.com/python-poetry/poetry/issues/1917
+    PYTHON_KEYRING_BACKEND: "keyring.backends.null.Keyring"
+  become: true
+  become_user: "{{ aurweb_user }}"
+
 - name: Initialize the database  # noqa no-changed-when
   command: poetry run python -m aurweb.initdb
   args:
@@ -171,27 +156,6 @@
   become_user: "{{ aurweb_user }}"
   when: release.changed or db_created.changed
 
-- name: Check python module availability  # noqa no-changed-when
-  command: poetry run python3 -c 'import aurweb'
-  args:
-    chdir: "{{ aurweb_dir }}"
-  become: true
-  become_user: "{{ aurweb_user }}"
-  ignore_errors: true
-  register: aurweb_installed
-
-- name: Install python module  # noqa no-changed-when
-  command: poetry install
-  args:
-    chdir: "{{ aurweb_dir }}"
-  environment:
-    POETRY_VIRTUALENVS_IN_PROJECT: "true"
-    # https://github.com/python-poetry/poetry/issues/1917
-    PYTHON_KEYRING_BACKEND: "keyring.backends.null.Keyring"
-  become: true
-  become_user: "{{ aurweb_user }}"
-  when: release.changed or aurweb_installed.rc != 0
-
 - name: Install custom aurweb-git-auth wrapper script
   template: src=aurweb-git-auth.sh.j2 dest=/usr/local/bin/aurweb-git-auth.sh owner=root group=root mode=0755
   when: release.changed
@@ -204,13 +168,6 @@
   template: src=aurweb-git-update.sh.j2 dest=/usr/local/bin/aurweb-git-update.sh owner=root group=root mode=0755
   when: release.changed
 
-- name: Link custom aurweb-git-update wrapper to hooks/update
-  file:
-    src: /usr/local/bin/aurweb-git-update.sh
-    dest: "{{ aurweb_dir }}/aur.git/hooks/update"
-    state: link
-  when: release.changed
-
 - name: Install aurweb-git-gc script
   template: src=aurweb-git-gc.sh.j2 dest=/usr/local/bin/aurweb-git-gc.sh owner=root group=root mode=0755
   when: release.changed
@@ -251,7 +208,7 @@
 - name: Deploy new cgit release
   become: true
   become_user: "{{ aurweb_user }}"
-  file: path=/etc/uwsgi/vassals/cgit.ini state=touch owner=root group=root mode=0644
+  file: path=/etc/uwsgi/vassals/cgit.ini state=touch owner={{ aurweb_user }} group=http mode=0644
   when: cgit.changed
 
 - name: Configure smartgit uwsgi service
@@ -316,24 +273,57 @@
   become: true
   become_user: "{{ aurweb_user }}"
 
+- name: Link custom aurweb-git-update wrapper to hooks/update
+  file:
+    src: /usr/local/bin/aurweb-git-update.sh
+    dest: "{{ aurweb_dir }}/aur.git/hooks/update"
+    state: link
+  when: release.changed
+
 - name: Configure sshd
-  template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
+  template: src=aurweb_config.j2 dest=/etc/ssh/sshd_config.d/aurweb.conf owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
   notify:
     - Restart sshd
 
 - name: Start and enable AUR systemd services and timers
-  systemd: name={{ item }} enabled=yes state=started daemon_reload=yes
+  systemd: name={{ item.name }} enabled=yes state=started daemon_reload=yes
   with_items:
-    - aurweb-git.timer
-    - aurweb-git-archive.timer
-    - aurweb-aurblup.timer
-    - aurweb-mkpkglists.timer
-    - aurweb-git-archive.timer
-    - aurweb-pkgmaint.timer
-    - aurweb-popupdate.timer
-    - aurweb-tuvotereminder.timer
-    - aurweb-usermaint.timer
-    - aurweb.service
-    - goaurrpc.service
-    - aurweb-github-mirror.timer
-  when: release.changed
+    - "{{ aurweb_services }}"
+    - "{{ aurweb_timers }}"
+  when: release.changed and (item.restart is not defined or item.restart)
+
+- name: Generate and import dummy data
+  when: aurweb_environment_type == "dev"
+  block:
+    - name: Install packages for dummy data generation
+      pacman:
+        state: present
+        name:
+          - words
+          - fortune-mod
+
+    - name: Create data dir
+      file:
+        path: "{{ aurweb_dir }}/data"
+        state: directory
+        mode: "0755"
+      become: true
+      become_user: "{{ aurweb_user }}"
+
+    - name: Generate dummy data
+      command: poetry run schema/gendummydata.py data/dummy.sql
+      register: generated_data
+      args:
+        chdir: "{{ aurweb_dir }}"
+        creates: "{{ aurweb_dir }}/data/dummy.sql"
+      become: true
+      become_user: "{{ aurweb_user }}"
+
+    - name: Import dummy data
+      mysql_db:
+        name: "{{ aurweb_db }}"
+        login_host: "{{ aurweb_db_host }}"
+        login_password: "{{ vault_mariadb_users.root }}"
+        state: import
+        target: "{{ aurweb_dir }}/data/dummy.sql"
+      when: generated_data.changed

roles/aurweb/templates/aurweb-git-auth.sh.j2

 #!/bin/bash
-exec "{{ aurweb_dir }}/.venv/bin/aurweb-git-auth" "$@"
+cd "{{ aurweb_dir }}"
+source .venv/bin/activate
+exec aurweb-git-auth "$@"

roles/aurweb/templates/aurweb-git-serve.sh.j2

 #!/bin/bash
-exec "{{ aurweb_dir }}/.venv/bin/aurweb-git-serve" "$@"
+cd "{{ aurweb_dir }}"
+source .venv/bin/activate
+exec aurweb-git-serve "$@"

roles/aurweb/templates/aurweb-git-update.sh.j2

 #!/bin/bash
 cd "{{ aurweb_dir }}"
-exec poetry run aurweb-git-update "$@"
+source .venv/bin/activate
+exec aurweb-git-update "$@"

roles/aurweb/templates/aurweb-tuvotereminder.service.j2 → roles/aurweb/templates/aurweb-votereminder.service.j2

 [Unit]
-Description=Send aurweb TU vote reminder emails
+Description=Send aurweb vote reminder emails
 Requires=mysqld.service
 After=mysqld.service
 
@@ -7,7 +7,7 @@ After=mysqld.service
 Type=oneshot
 User={{ aurweb_user }}
 WorkingDirectory={{ aurweb_dir }}
-ExecStart=/usr/bin/poetry run aurweb-tuvotereminder
+ExecStart=/usr/bin/poetry run aurweb-votereminder
 
 NoNewPrivileges=true
 LockPersonality=true

roles/aurweb/templates/aurweb-tuvotereminder.timer.j2 → roles/aurweb/templates/aurweb-votereminder.timer.j2

 [Unit]
-Description=Send aurweb TU vote reminder emails
+Description=Send aurweb vote reminder emails
 
 [Timer]
 OnStartupSec=12h

roles/aurweb/templates/config.j2

@@ -18,6 +18,10 @@ aur_location = https://{{ aurweb_domain }}
 git_clone_uri_anon = https://{{ aurweb_domain }}/%s.git
 git_clone_uri_priv = ssh://{{ aurweb_user }}@{{ aurweb_domain }}/%s.git
 redis_address = redis://localhost
+{% if aurweb_environment_type == "dev" %}
+; Toggles traceback display in templates/errors/500.html.
+traceback = 1
+{% endif %}
 
 [ratelimit]
 request_limit = {{ aurweb_request_limt }}
@@ -63,6 +67,9 @@ pkgnames-repo = {{ aurweb_dir }}/pkgnames.git
 
 [notifications]
 notify-cmd = aurweb-notify
+{% if aurweb_environment_type == "dev" %}
+sendmail = {{ aurweb_dir }}/util/sendmail
+{% endif %}
 {# Gitlab project and token used for traceback reports. #}
 gitlab-instance = {{ vault_aurweb_gitlab_instance }}
 error-project = {{ vault_aurweb_error_project }}

roles/aurweb/templates/nginx.d.conf.j2

@@ -9,8 +9,15 @@ upstream smartgit {
 # limit Git requests to block Git DoS attempts.
 # # grep aurwebgitlimit /var/log/nginx/aur.archlinux.org/error.log | awk '{ print $14 }' | sort | uniq | sort
 limit_req_zone $binary_remote_addr zone=aurwebgitlimit:10m rate=30r/m;
+
+# limit general requests to 20 r/s to block DoS attempts.
+limit_req_zone $binary_remote_addr zone=aurweblimit:10m rate=20r/s;
+
 limit_req_status 429;
 
+# needed for long server names (dev box)
+server_names_hash_bucket_size 128;
+
 server {
     listen       80;
     listen       [::]:80;
@@ -43,8 +50,9 @@ server {
     root    {{ aurweb_dir }}/static;
     index   index.php;
 
-    location = /trusted-user/TUbylaws.html {
-	    return 301 https://tu-bylaws.aur.archlinux.org;
+    # redirect /tu to /package-maintainer for external links
+    location ~ ^/tu($|/.*) {
+        return 301 https://aur.archlinux.org/package-maintainer$1;
     }
 
     #
@@ -131,5 +139,7 @@ server {
         proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Ssl on;
+
+        limit_req zone=aurweblimit burst=10 nodelay;
     }
 }

roles/bugbot/defaults/main.yml

@@ -5,6 +5,5 @@ bugbot_version: '20200818'
 bugbot_pgp_keys: ['92D9C6CDE99A2024D690A76EE742683BA08CB2FF']
 bugbot_pgp_emails: ['foxboron@archlinux.org']
 bugbot_admins:
-  - keenerd
-  - falconindy
   - Foxboron
+  - jelle

roles/bugbuddy/files/bugbuddy-download.sh

+#!/bin/bash
+
+set -o nounset -o errexit -o pipefail
+
+restart_service=0
+while (( $# )); do
+	case $1 in
+		--restart)
+			restart_service=1
+			shift
+			;;
+		*)
+			echo "invalid argument: $1"
+			exit 1
+			;;
+	esac
+done
+
+readonly NAME=bugbuddy
+readonly PROJECT_ID="archlinux%2F${NAME}"
+readonly TRUSTED_UIDs=(
+	anthraxx@archlinux.org
+)
+readonly TRUSTED_KEYS=(
+	E240B57E2C4630BA768E2F26FC1B547C8D8172C8
+)
+
+readonly CURRENT_RELEASE="/root/${NAME}-current_release"
+readonly TARGET_DIR=/usr/local/bin
+
+RELEASES="$(curl --silent --show-error --fail "https://gitlab.archlinux.org/api/v4/projects/${PROJECT_ID}/releases")"
+LATEST_RELEASE_TAG="$(jq -r .[0].tag_name <<< "${RELEASES}")"
+
+if [[ $LATEST_RELEASE_TAG == null ]]; then
+	echo "no releases found" >&2
+	exit 1
+fi
+
+if [ -f $CURRENT_RELEASE ]; then
+	LATEST_RELEASE_DOWNLOAD=$(cat ${CURRENT_RELEASE})
+	if [ "$LATEST_RELEASE_TAG" = "$LATEST_RELEASE_DOWNLOAD" ]; then
+		echo "already at latest release"
+		exit 0
+	fi
+fi
+
+
+TMPDIR="$(mktemp --directory --tmpdir="/var/tmp" "${NAME}-download-XXXXXXXXXXXX")"
+# shellcheck disable=SC2064
+trap "rm -rf \"${TMPDIR}\"" EXIT
+cd "${TMPDIR}"
+
+RELEASES="$(curl --silent --show-error --fail "https://gitlab.archlinux.org/api/v4/projects/${PROJECT_ID}/releases/$LATEST_RELEASE_TAG")"
+ASSETS=$(jq .assets.links <<< "${RELEASES}")
+mapfile -t LINKS < <(jq -r '.[].direct_asset_url' <<< "${ASSETS}")
+
+for link in "${LINKS[@]}"; do
+	echo "downloading ${link##*/}"
+	curl --progress-bar --show-error --fail --location --remote-name "${link}"
+done
+
+for uid in "${TRUSTED_UIDs[@]}"; do
+	sq wkd get "${uid}"
+done
+
+for fp in "${TRUSTED_KEYS[@]}"; do
+	sq --force pki link add --all "${fp}"
+done
+
+verified=0
+for key in "${TRUSTED_KEYS[@]}"; do
+	if sq verify --signer-cert "${key}" --detached ${NAME}.sig ${NAME}; then
+		verified=1
+		break
+	fi
+done
+if (( ! verified )); then
+	echo "failed to verify downloaded artifacts" >&2
+	exit 1
+fi
+
+chmod +x ${NAME}
+mv --verbose ${NAME} "${TARGET_DIR}/${NAME}"
+echo "$LATEST_RELEASE_TAG" > $CURRENT_RELEASE
+
+if (( restart_service )); then
+	systemctl restart "${NAME}"
+fi