mirror/ infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2024-05-05 17:36:08 +02:00
Code Issues
4,924 Commits 18 Branches 0 Tags 16 MiB
Commit Graph

106 Commits

Author SHA1 Message Date
Evangelos Foutras d58b875b06
Update build.archlinux.org info (DX182 -> AX162-R) 
New server; same CPU and RAM as previous one, hopefully more stable.
 2024-05-03 19:59:23 +03:00
Jan Alexander Steffens (heftig) 7c2d112870
matrix: Replace mjolnir with draupnir 
Mjolnir does not support Node 20.
 2024-04-09 00:01:06 +02:00
Jan Alexander Steffens (heftig) 31a33cc804
matrix: Update badwords 2024-03-27 23:33:05 +01:00
Evangelos Foutras eaeb54129a
find-arch-on-crt.sh: remove no-op bugs-old exclude 2024-03-17 01:02:47 +02:00
Evangelos Foutras df9b4d5085
find-arch-on-crt.sh: adjust for patsub_replacement 
This shell behavior[1] in Bash 5.2 "expands occurrences of '&' in the
replacement string of pattern substitution to the text matched by the
pattern" but we want literal ampersands so escape them.

[1] https://www.gnu.org/software/bash/manual/html_node/The-Shopt-Builtin.html
 2024-03-17 00:55:34 +02:00
Kristian Klausen 8a7e85f70c
Promote gromit to full DevOps 
Fix #573
 2024-02-22 22:51:08 +01:00
Kristian Klausen 5cd5fd42c0
Offboard grazzolini as DevOps 
Fix #566
 2024-02-10 19:52:08 +01:00
Leonidas Spyropoulos a6dd2faca4
Add new password for idrac of replaced server 
Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>
 2024-02-02 12:03:54 +00:00
Jan Alexander Steffens (heftig) 6d268f828b
matrix: Update badwords 2024-01-30 10:14:30 +01:00
Evangelos Foutras 50f55be2e9
Add iDRAC root credentials for build.archlinux.org 2024-01-20 17:27:11 +02:00
Evangelos Foutras 0d0c512eab
Re-encrypt vault passwords with heftig's new key 
Follow-up to merge request archlinux/infrastructure!786. New key is
already trusted by four master keys in archlinux-keyring 20231222-1.

https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/254
 2023-12-28 00:56:32 +02:00
Kristian Klausen 122eb202d9
Add dedicated Fastly billing account 2023-12-09 19:53:40 +01:00
Leonidas Spyropoulos a4c8cea5ba
vault: add transifex archlinux credentials 
Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>
 2023-12-01 11:48:20 +00:00
Levente Polyak 7ebc308452
Add Fastly credentials to vault 2023-11-22 23:42:42 +01:00
Kristian Klausen c216752047
Onboard gromit as Junior DevOps 
gromit is our newest Junior DevOps[1] and will get access to:
* bugs.archlinux.org: for helping with the bug migration
* wiki.archlinux.org: for helping with (archwiki) maintenance

[1] https://lists.archlinux.org/archives/list/arch-devops@lists.archlinux.org/message/2LAOGIVY33MZLBZCDSQHDQVQNEULLUTW/

Fix #543
 2023-10-21 21:05:56 +02:00
Kristian Klausen e5529102bc
Add API tokens for new Hetzner cloud sandbox project 
A new Hetzner cloud project has been created called "Sandbox". This
project is meant for non-production workload which must be created
on-demand from e.g. a CI pipeline. The first project using the sandbox
is aurweb, which wants to use GitLab's Review apps[1] feature to create
dynamic environments on-demand.

Two API tokens have been created, one for the infrastructure project (to
be used by packer) and for the aurweb project.

[1] https://docs.gitlab.com/ee/ci/review_apps/
 2023-08-19 21:37:23 +02:00
Kristian Klausen 152127387e
Add dedicated GitHub account for archlinux-docker 
This is needed as archlinux-docker wants to push its container images to
GitHub Packages[1]. Unfortunately, the existing GitHub account has too
much access and it is not possible to limit the token to a single
repository[2].

[1] https://gitlab.archlinux.org/archlinux/archlinux-docker/-/issues/73
[2] https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-with-a-personal-access-token-classic
 2023-08-12 00:15:23 +02:00
Kristian Klausen 034fb0a0f8
Add RedHat account 
This is needed as archlinux-docker wants to push its container images to
Quay.io[1], which requires a RedHat account.

[1] https://gitlab.archlinux.org/archlinux/archlinux-docker/-/issues/73
 2023-08-12 00:15:18 +02:00
Jan Alexander Steffens (heftig) ca95d9d3a8
matrix: Bridge public channels as well 2023-08-02 23:22:18 +02:00
Sven-Hendrik Haase ced598b176
Add hCaptcha to Keycloak registration forms 2023-06-16 00:01:50 +02:00
Sven-Hendrik Haase 36e7ddca57
Add further hCaptcha secrets 2023-06-15 21:52:43 +02:00
Evangelos Foutras b566922082
Add user credentials for hCaptcha 2023-06-15 22:37:41 +03:00
Jan Alexander Steffens (heftig) 87472ae00d
matrix: Update bridge config 2023-06-13 19:16:13 +02:00
Jan Alexander Steffens (heftig) e33791b349
matrix: Update badwords 2023-04-17 11:02:37 +02:00
Evangelos Foutras a72cc1f423
Re-encrypt super password to include artafinde 
Follow-up to merge request archlinux/infrastructure!671.
 2023-01-31 21:13:19 +02:00
Levente Polyak 0dcc40e9d8
mastodon: add credentials to vault 
URL: https://fosstodon.org/@archlinux
 2022-12-11 23:53:44 +01:00
Kristian Klausen 78cc9e449e
Add Equinix Metal account 
We have been using sponsored Equinix Metal boxes for years (sponsorship
managed by CNCF[1]). This adds a service account[2], so we don't need to
rely on individual access.

[1] https://github.com/cncf/cluster
[2] https://github.com/cncf/cluster/issues/213
 2022-12-05 22:56:43 +01:00
Evangelos Foutras 9bdb6a8e9d
find-arch-on-crt.sh: skip riscv.mirror.pkgbuild.com 
Similarly to geo.mirror.pkgbuild.com, this is monitored elsewhere.
 2022-11-17 22:19:55 +02:00
Evangelos Foutras 046efd7fb2
kcadm_wrapper.sh: call kcadm.sh instead of kcadm 
I think this was renamed when Keycloak switched to Quarkus.
 2022-11-12 18:58:15 +02:00
Evangelos Foutras ed19221404
keycloak: remove /auth from all Keycloak endpoints 
From [1]: "By default, the new Quarkus distribution removes /auth from
           the context-path."

[1] https://www.keycloak.org/migration/migrating-to-quarkus
 2022-11-12 17:33:36 +02:00
Kristian Klausen ecb032c53b
Add GPG master and signing key for arch-boxes 
The key is used for signing the releases, so the users can be sure the
images on the mirrors haven't been modified. arch-boxes has been tweaked
to use the key in this MR[1].

[1] https://gitlab.archlinux.org/archlinux/arch-boxes/-/merge_requests/176
 2022-09-16 21:58:40 +02:00
Kristian Klausen 5d55253cd0
Add GPG master and signing key for Renovate 
Renovate is a tool for: "Automated dependency updates. Multi-platform
and multi-language."[1].

We require all commits pushed directly to official projects to be
signed, so a master key and signing key have been generated for
Renovate. Both keys are stored in renovate.asc and Renovate only has
access to the signing key.

[1] https://github.com/renovatebot/renovate
 2022-09-16 21:58:37 +02:00
Jan Alexander Steffens (heftig) cdaf8fc8a7
matrix: Update badwords 2022-09-06 19:57:22 +02:00
Evangelos Foutras 434763e19c
misc/vault-keyring-client.sh: explain flock usage 
Fixes: 511b6ca4e1 ("misc/vault-keyring-client.sh: add flock workaround")
 2022-08-25 05:53:42 +03:00
Kristian Klausen 6159b411a1
Add new domain for project documentation (archlinux.page) 
We want non-DevOps to be able to deploy project documentation (ex:
repod) with GitLab Pages and a separate domain was considered the only
sensible solution due to security issues[1].

[1] https://github.blog/2013-04-09-yummy-cookies-across-domains/
 2022-07-03 13:21:40 +02:00
Evangelos Foutras 08f8744045
Remove a couple of obsolete secrets 
- IPMI credentials for luna.archlinux.org
- Entry with no credentials for PIA boxes
 2022-06-29 11:54:54 +03:00
Kristian Klausen 0055730abc
Add Gandi account 
We want to deploy project documentation (ex: repod) with GitLab Pages
and due to security concerns[1], they should be deployed on a separate
domain.

Hetzner's Registration Robot[2] only supports a few TLDs and all the
good names have already been taken, and therefore we need a new domain
registrar. SPI has a partnership with Gandi, so Gandi it is.

[1] https://www.hetzner.com/registrationrobot
[2] https://github.blog/2013-04-09-yummy-cookies-across-domains/
 2022-06-22 21:12:46 +02:00
Evangelos Foutras 1234dcec73
prometheus: split crt.sh lookups into new script 
roles/prometheus/defaults/main.yml used to include a comment with the
commands used to generate a list of HTTPS endpoints to check. Move it
into a proper script and fix it to generate the correct current list.
 2022-06-19 20:03:46 +03:00
Evangelos Foutras 68534b7f0f
Remove the three dashes from all vaulted YAML files 
Extend the removal of the dashes from unencrypted YAML documents to
encrypted ones as well.

Fixes: a9e0790f53 ("Remove the three dashes from all YAML documents")
 2022-06-13 01:34:52 +03:00
Jan Alexander Steffens (heftig) d285d1dfd3
matrix: Update badwords 2022-06-05 20:07:03 +02:00
Kristian Klausen 2a74897bfb
Add Vagrant Cloud account 
Vagrant Cloud has been used for years by arch-boxes[1] for publishing
Vagrant boxes. Access to the organization[2] was handed out to a few
members of the DevOps team and the creator of the organization
(arch-boxes maintainer at the time).

With this commit the control of the organization is handed over to the
DevOps team through a new Vagrant Cloud account.

[1] https://gitlab.archlinux.org/archlinux/arch-boxes
[2] https://app.vagrantup.com/archlinux/
 2022-05-29 21:20:06 +02:00
Evangelos Foutras 511b6ca4e1
misc/vault-keyring-client.sh: add flock workaround 
Otherwise running terraform under tf-stage2 will often fail with:

> ansible.errors.AnsibleError: Vault password client script
> ../misc/vault-keyring-client.sh did not find a secret for
> vault-id=default: b'gpg: decryption failed: No secret key\n'
 2022-05-09 23:12:48 +03:00
Kristian Klausen 4c6203e727
Onboard artafinde as Junior DevOps 
artafinde is our new newest Junior DevOp[1] and will get access to:
* monitoring.al.org: for setting up gitlab-exporter[1]
* gitlab.al.org: for setting up gitlab-exporter[1]
* dashboards.al.org: in case he wants to do more monitoring related
  stuff

[1] https://lists.archlinux.org/pipermail/arch-devops/2022-May/000558.html
[2] https://gitlab.archlinux.org/artafinde/gitlab-exporter/

Fix #452
 2022-05-07 18:41:05 +02:00
Evangelos Foutras 375a781611
Re-encrypt all default vaults with a new password 2022-05-07 17:45:19 +03:00
Evangelos Foutras b264a2f67e
Remove unused vaults and obsolete secrets 
- group_vars/all/vault_mariadb.yml: remove 'zabbix' database user
- misc/vaults/additional-credentials.vault: remove zabbix irc bot
- roles/dbscripts/tasks/main.yml: drop unused tier0 mirror access
 2022-05-07 17:45:19 +03:00
Evangelos Foutras 24112892be
hcloud_inventory: use read-only API key for hcloud 2022-05-07 17:45:19 +03:00
Evangelos Foutras b4d60ae2f6
Move highly sensitive secrets to new "super" vault 
The idea bebind this is to be able to give vault access to new DevOps
members without giving away more important credentials like Hetzner's.
 2022-05-07 17:45:19 +03:00
Evangelos Foutras 69994e900a
Complete rsync.net account migration 
New username; separate and longer account manager + storage passwords.

Also, have to use --remote-path=borg1 when interacting with rsync.net.
 2021-11-06 19:50:31 +02:00
Kristian Klausen 7265225bcd
Regenerate PAT for archlinux-docker for new token format[1] 
[1] https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/
 2021-10-02 16:31:47 +02:00
Levente Polyak d62f409642
borg: allow out of place calls by prepending the root directory 2021-08-18 00:39:03 +02:00