While mbox and maildir files get deleted by dovecot right away, that's
not the case for mdbox files. Since they contain multiple mails at once
in a proprietary format rewriting is expensive. That's why this step
is done in a separate step outside the dovecot process.

Replace SpamAssassin with Rspamd

See merge request archlinux/infrastructure!42

Kristian Klausen authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

Switching to Rspamd has some advantages:
* It is probably faster than SA[1] (C + Lua vs Perl)
* We can reduce the number of moving parts. Rspamd has built-in DKIM
  signing, greylisting, DMARC checking to name a few
* It doesn't just mark the mail as spam/not-spam, it gives every mail a
  score and depending on the score it does either: nothing, greylist it,
  mark it as spam or reject it[2] (more actions is available and it can
  be tweaked)
* Replies whitelisting[3]
* It supports ARC signing, which can be useful
* A cool looking WebUi :)
* ... and more[4]...

[1] https://rspamd.com/doc/tutorials/migrate_sa.html#why-migrate-to-rspamd
[2] https://rspamd.com/doc/faq.html#what-are-rspamd-actions
[3] https://rspamd.com/doc/modules/replies.html
[4] https://rspamd.com/comparison.html

rebuilderd-worker can now post diffoscope html output to rebuilderd
whcih requires raising our POST size.

We need to match the tmpfiles.d/turnserver.conf settings.

Less work_mem because this explodes easily. It's per-operation, which a
query can have multiple of, and also across multiple worker threads.

More shared_buffers and effective_cache_size as these are global.

Add server decommissioning template

See merge request archlinux/infrastructure!136

fix mx record for aur. and master-key.

See merge request archlinux/infrastructure!137

In coordination with Foxboron, the box has fulfilled its use and has been deleted.

Creation of admin user should be idempotent

Closes #88

See merge request archlinux/infrastructure!134

It ran out of memory, with Postgres using a lot of RSS.

Extend TU/Dev/DevOps and Staff on/offboarding guidelines

See merge request archlinux/infrastructure!99

Jelle van der Waa authored 4 years ago and Jelle van der Waa committed 4 years ago

Add the relevant mailing list subscriptions for all, Devops, TU and
Developer specific mailing lists.

Offboard dreisner as TU/Dev

See merge request !132

Earlier, Terraform would always show a diff because Hetzner DNS API will tranform our entries
after submitting them. This commit ensures that the entries are in the same format the API expects
them to be in from the start.

Remove old task to symlink checkservices to /usr/local/bin

See merge request !133

conf.archlinux.org: Updated revision

See merge request !131

Signed-off-by: Morten Linderud <morten@linderud.pw>

add dkim key removed by previous commit

See merge request !130

Setup SPF record for HELO name

See merge request !122

The RFC[1] recommends it and it seems to be best-pratice these days.

[1] https://tools.ietf.org/html/rfc7208

Document our fail2ban setup

See merge request !94

For all hosts we want to have a working fail2ban for sshd brute force
attempts through a group_vars/all. For some hosts an override is
required to enable postfix or dovecot jails.

Remove secure-runner2

See merge request !128

As it turns out, secure-runner2 isn't fast enough to serve as CI/CD and if we keep rescaling it to be
large enough, it'll be more expensive than secure-runner1 which is a lot faster. So, it'd be most
useful to just get rid of this VPS.

The idea is to cancel secure-runner1 and use secure-runner2 as the sole secure-runner as it should be fast enough.
We originally had secure-runner1 in hardware as we thought we needed KVM but as it turns out, qemu software emulation
via tcg is actually fast enough so that's what we're using now. That also menas that we can now use a cheap cloud
runner for everything.

We decommissioned kanboard in favor of GitLab.