Only doing this on the Hetzner storage box for now; waiting for
rsync.net to upgrade to borg 1.2 so we can enable it there too.

[1] https://datatracker.ietf.org/doc/html/rfc8461#section-3.2

Fixes: 0b87cbfd ("mta_sts: Switch to enforce mode and bump max_age to 30 days")

Ansible side of commit 5007c1a8 ("tf-stage1: allow setting the NS
TTL of geo domains"); both values need to match so our geo nameservers
report the same TTL as that returned by the parent zone's nameservers.

When adding a new geo domain or doing other testing, we would want to
use a low TTL to allow for making quick changes to the configuration.

arch-dev
arch-devops
arch-dev-public
arch-mirrors
arch-mirrors-announce
arch-multilib
arch-ports
arch-proaudio
arch-projects
arch-releng
arch-tu
arch-women
staff

Checking the SMTP TLS reports, the last failure was 2021-12-10/11 from
Mail.ru and 2021-08-28/29 from Google.

Bumping the max_age to 30 days as the RFC states: "To mitigate the risks
of attacks at policy refresh time, it is expected that this value
typically be in the range of weeks or greater."[1].

[1] https://datatracker.ietf.org/doc/html/rfc8461

It is run as part of the nntp runner now[1].

[1] https://gitlab.com/mailman/mailman/-/merge_requests/895

Setup mailman3 server

See merge request archlinux/infrastructure!437

The server has been reimaged to be sure the playbook and roles work as
intended.

arch-announce
arch-devops-private
arch-events
arch-wiki-admins

mailman-web has been packaged in the community repo and it uses
different paths than my homebrewed PKGBUILD.

We want to migrate to mailman3 as mailman2 is basically unmaintained and
requires Python 2 which is EOL.

Because the mailman and mailman3 packages conflict and we don't want to
perform a big bang migration, mailman3 must be deployed on a separate
server. mailman-web (mailman3's web interface) hasn't been packaged yet,
so for now we are using my homebrewed PKGBUILD[1].

[1] https://gist.github.com/klausenbusk/5982063f95c503754a51ed2fefb8915e

Ref #59

Fixes: afb582b1 ("geomirror: extract acme dns challenge into new role")

debuginfod: let nginx compress octet-stream responses

See merge request archlinux/infrastructure!573

Using the fastest gzip compression level to avoid burning too much CPU.

Implement generalized support for geo domains

See merge request archlinux/infrastructure!574

The intention is to use this config for other domains besides a mirror.

- add the new role to redirect.archlinux.org
- release mirror.pkgbuild.com of all DNS duties

Kevin is MIA, so add my key, so we can do releases.

Provision server for buildbot POC

See merge request !571

Foxboron wants some infra for a buildbot POC, so let's give it to him!

The server has been configured with the common and firewalld role.

Remove [node_exporters]/[wireguard] from inventory + Replace dynamic hcloud inventory with host entries

See merge request archlinux/infrastructure!572

We make almost no use of the dynamic properties of the hcloud inventory,
so we can simplify this by declaring all cloud servers in the main hosts
inventory.

The main benefit of this change is that temporary and experimental cloud
servers are not automatically included in the Ansible playbooks. In such
cases it is usually incorrect to deploy changes to these unknown servers.

A smaller side benefit is that Ansible will now use hostnames to connect
to cloud servers, whereas the dynamic inventory provided IPv4 addresses.
This results in more meaningful ~/.ssh/known_hosts entries.

All servers are part of these groups which makes them redundant.

Keycloak 18.0.0 disallows this by default; enable the legacy behavior
temporarily. When this stops working, we should consider removing the
'redirect_uri' parameter entirely. Should also check if GitLab and/or
Grafafa have implemented support for alternative ways of signing out:

- https://gitlab.com/gitlab-org/gitlab/-/issues/14414
- https://github.com/grafana/grafana/issues/24643

tf-stage2: update keycloak provider to 3.8.1

See merge request !569

OpenID clients:
- 'use_refresh_tokens' set to false to preserve the values on live
- 'backchannel_logout_session_required' implicitly changed to true
  for the 'grafana_openid_client' and 'openid_gitlab' clients

SAML client (GitLab):
- 'front_channel_logout' set to false to preserve the live setting

Otherwise running terraform under tf-stage2 will often fail with:

> ansible.errors.AnsibleError: Vault password client script
> ../misc/vault-keyring-client.sh did not find a secret for
> vault-id=default: b'gpg: decryption failed: No secret key\n'

gitlab-exporter: add gitlab-exporter to monitoring

See merge request !566

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Bash histories indicate this isn't being used anywhere other than
{build,gemini}.archlinux.org and gemini's filelist is so big that
locate becomes so slow that it's practically useless on this box.