Changes:
- Switch to arch-boxes' base image
- Verify the base image's signature
- Use the new "latest" symlink, instead of parsing the HTML for
  finding the latest arch-boxes image[1]
- Create the base image by using arch-chroot and friends, instead of
  creating a full-blown VM
- Create the VMs from domain XML template instead of virt-clone
- Switch mirror to geo.mirror.pkgbuild.com
- Try to follow "filesystem hierarchy" standards for where to place
  configuration (id_rsa) and "vendor data" (arch-boxes.asc and
  domain_template.xml)
- Misc fixes and cleanups

[1] archlinux/infrastructure!552

Upstream now provides a solution for setting the "staging dir" for
fastzip[1].

[1] https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/3130

For some workloads running in a container is too restrictive, ex:
arch-boxes (loop device, filesystem mount, pacstrap) and archiso
(pacstrap). Currently they both run a TCG accelerated QEMU VM, which is
very slow and painful to work with. We should provide a better option to
our users!

This adds a hardware accelerated VM for this kinds of workloads, which
is way faster and you can do whatever you like (mostly)!

Fix #283

* Remove www. from archlinux.org,
* Use HTTPS for the license link,
* Update $wgGitRepositoryViewers,
* Update comments referencing paths and URLs.

After starting a new container with the latest version of GitLab, opt to
remove older docker images so they do not take up disk space needlessly.

Also tweak the documentation on rebuilderd workers and add runner1.

The upstream `sample_config.yaml` is now minimal, so we cannot diff with
it anymore.

Adding/removing pages from the whitelist when using the Vector skin requires the write API now.
Without this, regular users get this error:

    You're not allowed to edit this wiki through the API.

Jakub Klinkovský authored 2 years ago and Kristian Klausen committed 2 years ago

- $wgScriptExtension was removed in MW 1.31
- $wgDBmysql5 was removed in MW 1.33
- $wgShowIPinHeader was removed in MW 1.27
- $wgUseETag was removed in MW 1.28
- $wgEnableWriteAPI was removed in MW 1.32
- $wgShowSQLErrors was removed in MW 1.37

Jakub Klinkovský authored 2 years ago and Kristian Klausen committed 2 years ago

$wgFragmentMode = [ 'html5', 'legacy' ]; is the default value since
MediaWiki 1.37:
https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:$wgFragmentMode

Jakub Klinkovský authored 2 years ago and Kristian Klausen committed 2 years ago

These were fixed in MediaWiki 1.38

Jakub Klinkovský authored 2 years ago and Kristian Klausen committed 2 years ago

Also updated some settings:

- The $wgShellLocale setting was removed from MediaWiki, see
  https://www.mediawiki.org/wiki/Special:MyLanguage/MediaWiki_1.38
- The "new" Vector skin got a name "vector-2022" and can be set simply
  by $wgDefaultSkin = 'vector-2022'; see
  https://www.mediawiki.org/wiki/Skin:Vector/2022#Note_about_1.38_release

Allow only .sig, .torrent and .txt.

This is done to prevent downloading files such as https://archlinux.org/iso/latest/arch/boot/x86_64/vmlinuz-linux.

Since release 2022.07.01, there is a versionless bootstrap tarball file (archlinux-bootstrap-x86_64.tar.gz). See https://github.com/pierres/archiso-manager/pull/12.

"latest" is a valid version, so there is no need to check for the exact version number anymore.

This restores public access to recent changes, page history etc. which
was disabled in September 2019 due to misbehaving crawlers - see commits
https://github.com/archlinux/archwiki/commit/f2c518d3df94e9ad6898fdd03cac982902f8ac36
and https://github.com/archlinux/archwiki/commit/8595e8d66141e608db794f1deef3e52cb36e5e78.

Let's hope that our robots.txt has been improved since then and the
server load will not increase much. If it proves to be still a problem,
this commit can be reverted and we will figure out better solution.

Ref: archlinux/monthly-reports!1

Ref: repod!65

We want non-DevOps to be able to deploy project documentation (ex:
repod) with GitLab Pages and a separate domain was considered the only
sensible solution due to security issues[1].

[1] https://github.blog/2013-04-09-yummy-cookies-across-domains/

When a backup job fails it is usually something we want to look into and
understand its root cause before restarting the backup job. Therefore we
need to disable the restart-on-failure behavior we had previously set up.

roles/prometheus/defaults/main.yml used to include a comment with the
commands used to generate a list of HTTPS endpoints to check. Move it
into a proper script and fix it to generate the correct current list.

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

/usr/lib/systemd/system is for vendor-provided service unit files.

/tmp free space is generally limited on these smaller virtual servers,
so use /var/tmp which is more spacious. debuginfod uses this to cache
recently extracted files from archives.

We don't want our users tracked by a third party.

ansible-lint 6.3.0 throws an error about this.

These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.

The cloud server running Loki isn't powerful enough to do aggressive
query splitting; it makes queries execute slower and generates a lot
more queries, resulting in "too many outstanding requests" in recent
Loki versions. (Maybe a bug?)

The default log level is "info" which logs too much to the journal.

Since upgrading to Loki 2.5, the query frontend was trying to connect to
the wireguard address instead of 127.0.0.1. This appears to be caused by
upstream commit c0bec07e0de1a23cb72e8834069 ("Loki: Implement common net
interface/instance addr") which now defaults to "" instead of 127.0.0.1.

Doubt the Loki team is interested in our usage data, and it's also a
risk to the confidentiality of our logs (even though it's anonymous).