Enables TLS 1.3.

https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#taxing-rewrites

Where http does not redirect to https. These are package mirrors and
the web key directory.

Levente Polyak authored Sep 03, 2019 and Jelle van der Waa committed Sep 03, 2019

Protect from simple privilege escalation attacks on scripts that are
granted privileged execution for unprivileged users by restricting
the PATH to a static set.
Without doing so, it is a trivial attack to provide a binary used
by a privileged script that executes former without an absolute path
to escalate privileges by gaining code execution through that binary.

Anything run with elevated privileges through sudo shall never ever
have the possibility to pass on the unsanatized PATH from an
unprivileged user.

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>

This bans all requests exceeding 1/min in a time period of 30 minutes.
This might be too harse and can be adjusted later.

These are static requests for JS/CSS assets which are the topmost
request for the wiki. Caching these in nginx helps a lot to turn down
the load.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

This reverts commit 9809d84d.

I forgot our package already does this.

- Restore fstype to mount tasks. Annoyingly it does not default to auto.
- Use the right task type for copying files and place them in the chroot.
- Install both python-requests and python-yaml.

- Move ext4 handling to not-btrfs, allowing XFS
- Improve btrfs mkfs and mount options
  space_cache=v2 only needs to be done once and is automatic afterwards

Improves performance on btrfs.

Prevents borg from backing up the database thrice,
 - once as a database dump,
 - once because /var/lib/postgres/data/ is part of the root backup,
 - once because /var/lib/postgres/backup/ is part of the root backup.