Doing this in an attempt to be kind to our Borg hosts in cases where the
prometheus-borg-textcollector.timer is restarted on all hosts and avoids
having all machines querying the Borg hosts within the same minute. Only
downside is that the timers will trigger every 75-ish minutes instead of
exactly every hour, but this should not be a problem.

The role for the clients is named postfix_null (per [1]) and it's much
simpler and cleaner than the postfix role. I hope can cleanup the
postfix role at a later date.

[1] http://www.postfix.org/STANDARD_CONFIGURATION_README.html#null_client

Fixes: cf9c92fd ("dovecot: Disable POP3")

Implicit TLS is the future[1].

[1] https://datatracker.ietf.org/doc/html/rfc8314

No one uses it and less to worry about.

Fix #205

The homedir is now /home/vmail/%d/%n instead of /home/$USER.

Preparation for switching to a virtual user setup and removing all the
staff users from mail.a.o.

The users are only meant as a way to change the mail password and
setting up forwarding (~/.forward), the latter will be handled by the
DevOps team now.

Fixes: 678845af ("Add Kape server IPv6 addresses (fixes #230)")

It's been running out of swap during borg-backup and seems to get good
compression ratios; try upping the zram size to 100% of RAM (from 50%).

The fail2ban exporter exports the amount of bans per jail.

When both zswap and zram are active, zswap sits in front of zram and
treats it as a backing store. We just want to use zram and not zswap
disguising itself as such; disable the latter so we can enjoy useful
zramctl statistics.

Implemented as tmpfiles.d/zram.conf which disables zswap at runtime.

Restarting swap.target doesn't apply configuration changes; instead we
can restart systemd-zram-setup@zram0 which seems to do what we wanted.

Set "max-zram-size = none" to disable this unwanted limitation which
defaulted to creating zram-based swap with a maximum size of 4096MiB.

Fixes: dc8fa2bd ("common: Replace deprecated systemd-swap[1] with zram-generator")

The upstream branch is set by the earlier "git pull --set-upstream".

Add a default rate limit for 20 req/s for the uwsgi endpoint and
automatically ban users who reach this limit. The nginx-limit-req rule
does not ban users who reach the rss limit as these are not likely DoS
attempts.

Mark "Free Space (Hetzner)" metric as instant for faster updates.

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

Add number of pacnew/pacsave files and print non explicit installed
optdepends as orphans as well.

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

Closes #358

It confuses the users that the browser is caching them (due to
heuristic[1]).

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Caching#heuristic_freshness_checking

The official backup tool for GitLab takes many hours to run because it
puts everything inside tarballs and then gzips each one. It seems safe
and much more efficient to skip this step for the offsite backup while
reusing the tarballs generated by the first backup to the Storage Box.

Should save ~5 hours from the borg-backup-offsite.service execution.

No functional change; the "restrict" key option is a shorthand for:

- no-agent-forwarding
- no-port-forwarding
- no-X11-forwarding
- no-pty
- no-user-rc

It was added in OpenSSH 7.2 (2016-02-29) as a convenient way to specify
an authorized key should have "all current and future key restrictions"
applied to it.

It simplifies it a bit.

The default login shell for the svntogit user (/sbin/nologin) breaks
the Match Exec directives in /srv/svntogit/.ssh/config and prohibits
Git from using the correct SSH key.

While we're at it, add --set-upstream to the git pull command so the
task is more likely to accomplish its intended purpose.

This is meant to address the daily HostHighCpuLoad alert triggered on
lists.archlinux.org, which due to the large number of files it has to
process (around 1.5 million). Machines with more than one virtual CPU
don't need this as Borg is currently single-threaded and thus limited
to one core.

Fixes: a9ee7e5d ("Send prometheus metrics and scrap its metrics over WireGuard")

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

account2 and account_api are enabled by default since keycloak 13
(https://www.keycloak.org/docs/13.0/server_installation/#profiles)

This is initial to be used for communicating between
{lists,mailman3}.archlinux.org as mailman{2,3} can't run on the same
server.

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

This reverts commit 649568e7 ("Restrict Grafana access to Arch Linux
Staff group on Keycloak (fixes #151)").