Jelle van der Waa authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

Configure Grafana to use Keycloak OpenID Connect for authentication. For
now only DevOps is configured as admin and Arch Staff as general Viewer
roles.

Jelle van der Waa authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

To show the session IP address in /profile in Grafana the
X-Forwarded-For header has to be set.

Jelle van der Waa authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

As we are moving to prometheus it's no longer required.

Use IPs from Hcloud

See merge request archlinux/infrastructure!82

Now that we manage DNS via Terraform and Hetzner DNS API, it makes sense to use the data provider from
hcloud to get the server IPs.

Redo Keycloak flows and add WebAuthn support

Closes #28 and #112

See merge request archlinux/infrastructure!80

We had to redesign all flows when discovering that we can't design flows exactly the way we wanted in Keycloak.

Kristian Klausen authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

Broken by the last commit

Kristian Klausen authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

Registering a new required action is currently not supported, so it
needs to be done manually.
See upstream bug: https://github.com/mrparkers/terraform-provider-keycloak/issues/354

Configuring the WebAuthn policy is currently not supported, so it needs
to be done manully.
See upstream bug: https://github.com/mrparkers/terraform-provider-keycloak/issues/355

Fix #28

See https://github.com/timohirt/terraform-provider-hetznerdns/issues/20 for reference.

Start managing Hetzner DNS with Terraform

Closes #87

See merge request archlinux/infrastructure!62

Prometheus exporters

See merge request archlinux/infrastructure!72

Record the rebuilderd queue length in prometheus so we can generate an
alert for when the queue length keeps rising. As this could be an
indication that the rebuilders have builds which are stuck.

Run the blackbox exporter on monitoring.archlinux.org to monitor other
machines http status for public services we provide. Also has an alert
for when a certificate is about to expire in 3 days.

Add a new role called prometheus_exporters which should be run on every
machine we have and starts different collectors depending on what group
the machine is in. Currently supported our the gitlab runner exporter,
rebuilder textcollector, mysqld-exporter, borg textcollector and an
node/arch exporter. The arch exporter monitors the security status and
pacman out of date packages gauge.

aurweb: serve static assets with nginx and use Cache-Control

See merge request archlinux/infrastructure!78

archwiki: fix directory permissions

See merge request archlinux/infrastructure!64

- home directory needs 751 - nginx accesses it to serve static files
- cache and sessions directories are used only by PHP -> 750
- uploads is public -> 755

Note that the "fix home permissions" task was duplicated. Other tasks
fixing permissions were moved above.

Small changes for testing some roles in local containers

See merge request archlinux/infrastructure!58

This is much cleaner because the nginx role does not have to set the
fastcgi_cache variable to "false" by default, which was overridden by
host_vars/apollo.archlinux.org to "wiki", but the value was still
hardcoded in the config.

At first, I was wondering that the cache "zone" name should be
generalized to improve the configuration (from the original per-host to
per-service), but that would be an overkill since the fastcgi cache is
used only for the wiki...

This is needed for the role to work in containers. The option will also
be applied upstream, see the upstream ticket:
https://github.com/smartmontools/smartmontools/issues/62

The previous task creating the "zabbix_agent" user in the database stays
here as it actually needs the mariadb role. But note that it uses a
hardcoded name "zabbix_agent" for setting the password. The zabbix_agent
uses a different variable ("{{zabbix_agent_mysql_password}}") in the
my.cnf.j2 template, but I don't see where the variable is defined...

This role actually uses a handler from nginx to reload nginx.service.

Otherwise the timer may be started before mysqld and the service would
fail at the first start.

archwiki-runjobs.service is one-shot and timer-activated, it is not
supposed to be enabled.

This happens in the local Docker container, not sure about the
production environment...

Increase AUR machine size

See merge request archlinux/infrastructure!76

Exclude btrfs docker submount from being backed up

See merge request archlinux/infrastructure!75