Mark "Free Space (Hetzner)" metric as instant for faster updates.

Extend onboarding by more explicit information

See merge request !418

.gitlab/issue_templates/Onboarding.md:
Create the ticket as confidential by default (using a short action).
Make the required information in the Details section more explicit and
add entries that are relevant when creating an SSO and/or archweb
account.
Add a note for sponsors of new users, so that they also add a
clearsigned version of the data they provide.
Add a dot at the end of each sentence.
Make the entries for mailing list operations more generic and rely on
the *communication e-mail address*, which may be the user's personal
mail address or a newly created @archlinux.org mail address.
Add warning message about creating a confidential ticket when providing
personal data.
Add checkbox to remind about the removal of personal information,
removal of description history and setting the ticket to be
non-confidential (if it has been confidential due to personal data).
Add checkbox that reminds setting the Team member username to the
@-prefixed username on gitlab (after the user has logged in).

prometheus_exporters: Improve arch-textcollector

See merge request !453

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

Add number of pacnew/pacsave files and print non explicit installed
optdepends as orphans as well.

archweb: Add robots.txt

Closes #358

See merge request !452

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

Closes #358

It confuses the users that the browser is caching them (due to
heuristic[1]).

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Caching#heuristic_freshness_checking

The port was removed in:
4729ba40 ("postfix: Remove special "fast-path" smtpd")

Avoid running backup-gitlab twice; reuse tarballs

See merge request archlinux/infrastructure!451

The official backup tool for GitLab takes many hours to run because it
puts everything inside tarballs and then gzips each one. It seems safe
and much more efficient to skip this step for the offsite backup while
reusing the tarballs generated by the first backup to the Storage Box.

Should save ~5 hours from the borg-backup-offsite.service execution.

No functional change; the "restrict" key option is a shorthand for:

- no-agent-forwarding
- no-port-forwarding
- no-X11-forwarding
- no-pty
- no-user-rc

It was added in OpenSSH 7.2 (2016-02-29) as a convenient way to specify
an authorized key should have "all current and future key restrictions"
applied to it.

It simplifies it a bit.

The default login shell for the svntogit user (/sbin/nologin) breaks
the Match Exec directives in /srv/svntogit/.ssh/config and prohibits
Git from using the correct SSH key.

While we're at it, add --set-upstream to the git pull command so the
task is more likely to accomplish its intended purpose.

Limit Borg CPU usage on single vCPU servers to 50%

See merge request archlinux/infrastructure!447

This is meant to address the daily HostHighCpuLoad alert triggered on
lists.archlinux.org, which due to the large number of files it has to
process (around 1.5 million). Machines with more than one virtual CPU
don't need this as Borg is currently single-threaded and thus limited
to one core.

misc/get_key.py: load vault file without chdir'ing

See merge request archlinux/infrastructure!448

Now that misc/get_key.py checks if the vault file passed to it exists,
we cannot pass paths only resolvable from the root directory. Instead,
use paths that make sense relative to the current directory and avoid
calling chdir when loading the vault file.

Fixes: 77542146 ("Rewrite get_key.py to use click instead of typer")

tf-stage1: Update nameservers

Closes #207

See merge request archlinux/infrastructure!446

Closes #207

Fixes: a9ee7e5d ("Send prometheus metrics and scrap its metrics over WireGuard")

Send promtail logs and scrap its metrics over WireGuard

See merge request archlinux/infrastructure!445

keycloak: Remove obsolete configuration

See merge request archlinux/infrastructure!444

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

account2 and account_api are enabled by default since keycloak 13
(https://www.keycloak.org/docs/13.0/server_installation/#profiles)

WireGuard all hosts

See merge request archlinux/infrastructure!442

This is meant as a internal authenticated and encrypted network which we
can use for internal services, we don't want to expose to the internet
or when encryption is desired but not easily implementable.

This is initial to be used for communicating between
{lists,mailman3}.archlinux.org as mailman{2,3} can't run on the same
server.

grafana: Use builtin functionality to restrict access

See merge request archlinux/infrastructure!443

Thorben Günther authored 3 years ago and Kristian Klausen committed 3 years ago

This reverts commit 649568e7 ("Restrict Grafana access to Arch Linux
Staff group on Keycloak (fixes #151)").

install_arch: Fix cleanup of pacman cache

See merge request archlinux/infrastructure!441

noconfirm does not work because the default answer to the first check is
`No`.

This should have been amended to the original commit.

Fixes: 5fba4d5b ("rspamd: Lower spam threshold on misaligned Reply-To/To fields")