Evangelos Foutras
d58b875b06
Update build.archlinux.org info (DX182 -> AX162-R)
...
New server; same CPU and RAM as previous one, hopefully more stable.
2024-05-03 19:59:23 +03:00
Jan Alexander Steffens (heftig)
7c2d112870
matrix: Replace mjolnir with draupnir
...
Mjolnir does not support Node 20.
2024-04-09 00:01:06 +02:00
Jan Alexander Steffens (heftig)
31a33cc804
matrix: Update badwords
2024-03-27 23:33:05 +01:00
Evangelos Foutras
eaeb54129a
find-arch-on-crt.sh: remove no-op bugs-old exclude
2024-03-17 01:02:47 +02:00
Evangelos Foutras
df9b4d5085
find-arch-on-crt.sh: adjust for patsub_replacement
...
This shell behavior[1] in Bash 5.2 "expands occurrences of '&' in the
replacement string of pattern substitution to the text matched by the
pattern" but we want literal ampersands so escape them.
[1] https://www.gnu.org/software/bash/manual/html_node/The-Shopt-Builtin.html
2024-03-17 00:55:34 +02:00
Kristian Klausen
8a7e85f70c
Promote gromit to full DevOps
...
Fix #573
2024-02-22 22:51:08 +01:00
Kristian Klausen
5cd5fd42c0
Offboard grazzolini as DevOps
...
Fix #566
2024-02-10 19:52:08 +01:00
Leonidas Spyropoulos
a6dd2faca4
Add new password for idrac of replaced server
...
Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>
2024-02-02 12:03:54 +00:00
Jan Alexander Steffens (heftig)
6d268f828b
matrix: Update badwords
2024-01-30 10:14:30 +01:00
Evangelos Foutras
50f55be2e9
Add iDRAC root credentials for build.archlinux.org
2024-01-20 17:27:11 +02:00
Evangelos Foutras
0d0c512eab
Re-encrypt vault passwords with heftig's new key
...
Follow-up to merge request archlinux/infrastructure!786 . New key is
already trusted by four master keys in archlinux-keyring 20231222-1.
https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/254
2023-12-28 00:56:32 +02:00
Kristian Klausen
122eb202d9
Add dedicated Fastly billing account
2023-12-09 19:53:40 +01:00
Leonidas Spyropoulos
a4c8cea5ba
vault: add transifex archlinux credentials
...
Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>
2023-12-01 11:48:20 +00:00
Levente Polyak
7ebc308452
Add Fastly credentials to vault
2023-11-22 23:42:42 +01:00
Kristian Klausen
c216752047
Onboard gromit as Junior DevOps
...
gromit is our newest Junior DevOps[1] and will get access to:
* bugs.archlinux.org: for helping with the bug migration
* wiki.archlinux.org: for helping with (archwiki) maintenance
[1] https://lists.archlinux.org/archives/list/arch-devops@lists.archlinux.org/message/2LAOGIVY33MZLBZCDSQHDQVQNEULLUTW/
Fix #543
2023-10-21 21:05:56 +02:00
Kristian Klausen
e5529102bc
Add API tokens for new Hetzner cloud sandbox project
...
A new Hetzner cloud project has been created called "Sandbox". This
project is meant for non-production workload which must be created
on-demand from e.g. a CI pipeline. The first project using the sandbox
is aurweb, which wants to use GitLab's Review apps[1] feature to create
dynamic environments on-demand.
Two API tokens have been created, one for the infrastructure project (to
be used by packer) and for the aurweb project.
[1] https://docs.gitlab.com/ee/ci/review_apps/
2023-08-19 21:37:23 +02:00
Kristian Klausen
152127387e
Add dedicated GitHub account for archlinux-docker
...
This is needed as archlinux-docker wants to push its container images to
GitHub Packages[1]. Unfortunately, the existing GitHub account has too
much access and it is not possible to limit the token to a single
repository[2].
[1] https://gitlab.archlinux.org/archlinux/archlinux-docker/-/issues/73
[2] https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-with-a-personal-access-token-classic
2023-08-12 00:15:23 +02:00
Kristian Klausen
034fb0a0f8
Add RedHat account
...
This is needed as archlinux-docker wants to push its container images to
Quay.io[1], which requires a RedHat account.
[1] https://gitlab.archlinux.org/archlinux/archlinux-docker/-/issues/73
2023-08-12 00:15:18 +02:00
Jan Alexander Steffens (heftig)
ca95d9d3a8
matrix: Bridge public channels as well
2023-08-02 23:22:18 +02:00
Sven-Hendrik Haase
ced598b176
Add hCaptcha to Keycloak registration forms
2023-06-16 00:01:50 +02:00
Sven-Hendrik Haase
36e7ddca57
Add further hCaptcha secrets
2023-06-15 21:52:43 +02:00
Evangelos Foutras
b566922082
Add user credentials for hCaptcha
2023-06-15 22:37:41 +03:00
Jan Alexander Steffens (heftig)
87472ae00d
matrix: Update bridge config
2023-06-13 19:16:13 +02:00
Jan Alexander Steffens (heftig)
e33791b349
matrix: Update badwords
2023-04-17 11:02:37 +02:00
Evangelos Foutras
a72cc1f423
Re-encrypt super password to include artafinde
...
Follow-up to merge request archlinux/infrastructure!671 .
2023-01-31 21:13:19 +02:00
Levente Polyak
0dcc40e9d8
mastodon: add credentials to vault
...
URL: https://fosstodon.org/@archlinux
2022-12-11 23:53:44 +01:00
Kristian Klausen
78cc9e449e
Add Equinix Metal account
...
We have been using sponsored Equinix Metal boxes for years (sponsorship
managed by CNCF[1]). This adds a service account[2], so we don't need to
rely on individual access.
[1] https://github.com/cncf/cluster
[2] https://github.com/cncf/cluster/issues/213
2022-12-05 22:56:43 +01:00
Evangelos Foutras
9bdb6a8e9d
find-arch-on-crt.sh: skip riscv.mirror.pkgbuild.com
...
Similarly to geo.mirror.pkgbuild.com, this is monitored elsewhere.
2022-11-17 22:19:55 +02:00
Evangelos Foutras
046efd7fb2
kcadm_wrapper.sh: call kcadm.sh instead of kcadm
...
I think this was renamed when Keycloak switched to Quarkus.
2022-11-12 18:58:15 +02:00
Evangelos Foutras
ed19221404
keycloak: remove /auth from all Keycloak endpoints
...
From [1]: "By default, the new Quarkus distribution removes /auth from
the context-path."
[1] https://www.keycloak.org/migration/migrating-to-quarkus
2022-11-12 17:33:36 +02:00
Kristian Klausen
ecb032c53b
Add GPG master and signing key for arch-boxes
...
The key is used for signing the releases, so the users can be sure the
images on the mirrors haven't been modified. arch-boxes has been tweaked
to use the key in this MR[1].
[1] https://gitlab.archlinux.org/archlinux/arch-boxes/-/merge_requests/176
2022-09-16 21:58:40 +02:00
Kristian Klausen
5d55253cd0
Add GPG master and signing key for Renovate
...
Renovate is a tool for: "Automated dependency updates. Multi-platform
and multi-language."[1].
We require all commits pushed directly to official projects to be
signed, so a master key and signing key have been generated for
Renovate. Both keys are stored in renovate.asc and Renovate only has
access to the signing key.
[1] https://github.com/renovatebot/renovate
2022-09-16 21:58:37 +02:00
Jan Alexander Steffens (heftig)
cdaf8fc8a7
matrix: Update badwords
2022-09-06 19:57:22 +02:00
Evangelos Foutras
434763e19c
misc/vault-keyring-client.sh: explain flock usage
...
Fixes: 511b6ca4e1
("misc/vault-keyring-client.sh: add flock workaround")
2022-08-25 05:53:42 +03:00
Kristian Klausen
6159b411a1
Add new domain for project documentation (archlinux.page)
...
We want non-DevOps to be able to deploy project documentation (ex:
repod) with GitLab Pages and a separate domain was considered the only
sensible solution due to security issues[1].
[1] https://github.blog/2013-04-09-yummy-cookies-across-domains/
2022-07-03 13:21:40 +02:00
Evangelos Foutras
08f8744045
Remove a couple of obsolete secrets
...
- IPMI credentials for luna.archlinux.org
- Entry with no credentials for PIA boxes
2022-06-29 11:54:54 +03:00
Kristian Klausen
0055730abc
Add Gandi account
...
We want to deploy project documentation (ex: repod) with GitLab Pages
and due to security concerns[1], they should be deployed on a separate
domain.
Hetzner's Registration Robot[2] only supports a few TLDs and all the
good names have already been taken, and therefore we need a new domain
registrar. SPI has a partnership with Gandi, so Gandi it is.
[1] https://www.hetzner.com/registrationrobot
[2] https://github.blog/2013-04-09-yummy-cookies-across-domains/
2022-06-22 21:12:46 +02:00
Evangelos Foutras
1234dcec73
prometheus: split crt.sh lookups into new script
...
roles/prometheus/defaults/main.yml used to include a comment with the
commands used to generate a list of HTTPS endpoints to check. Move it
into a proper script and fix it to generate the correct current list.
2022-06-19 20:03:46 +03:00
Evangelos Foutras
68534b7f0f
Remove the three dashes from all vaulted YAML files
...
Extend the removal of the dashes from unencrypted YAML documents to
encrypted ones as well.
Fixes: a9e0790f53
("Remove the three dashes from all YAML documents")
2022-06-13 01:34:52 +03:00
Jan Alexander Steffens (heftig)
d285d1dfd3
matrix: Update badwords
2022-06-05 20:07:03 +02:00
Kristian Klausen
2a74897bfb
Add Vagrant Cloud account
...
Vagrant Cloud has been used for years by arch-boxes[1] for publishing
Vagrant boxes. Access to the organization[2] was handed out to a few
members of the DevOps team and the creator of the organization
(arch-boxes maintainer at the time).
With this commit the control of the organization is handed over to the
DevOps team through a new Vagrant Cloud account.
[1] https://gitlab.archlinux.org/archlinux/arch-boxes
[2] https://app.vagrantup.com/archlinux/
2022-05-29 21:20:06 +02:00
Evangelos Foutras
511b6ca4e1
misc/vault-keyring-client.sh: add flock workaround
...
Otherwise running terraform under tf-stage2 will often fail with:
> ansible.errors.AnsibleError: Vault password client script
> ../misc/vault-keyring-client.sh did not find a secret for
> vault-id=default: b'gpg: decryption failed: No secret key\n'
2022-05-09 23:12:48 +03:00
Kristian Klausen
4c6203e727
Onboard artafinde as Junior DevOps
...
artafinde is our new newest Junior DevOp[1] and will get access to:
* monitoring.al.org: for setting up gitlab-exporter[1]
* gitlab.al.org: for setting up gitlab-exporter[1]
* dashboards.al.org: in case he wants to do more monitoring related
stuff
[1] https://lists.archlinux.org/pipermail/arch-devops/2022-May/000558.html
[2] https://gitlab.archlinux.org/artafinde/gitlab-exporter/
Fix #452
2022-05-07 18:41:05 +02:00
Evangelos Foutras
375a781611
Re-encrypt all default vaults with a new password
2022-05-07 17:45:19 +03:00
Evangelos Foutras
b264a2f67e
Remove unused vaults and obsolete secrets
...
- group_vars/all/vault_mariadb.yml: remove 'zabbix' database user
- misc/vaults/additional-credentials.vault: remove zabbix irc bot
- roles/dbscripts/tasks/main.yml: drop unused tier0 mirror access
2022-05-07 17:45:19 +03:00
Evangelos Foutras
24112892be
hcloud_inventory: use read-only API key for hcloud
2022-05-07 17:45:19 +03:00
Evangelos Foutras
b4d60ae2f6
Move highly sensitive secrets to new "super" vault
...
The idea bebind this is to be able to give vault access to new DevOps
members without giving away more important credentials like Hetzner's.
2022-05-07 17:45:19 +03:00
Evangelos Foutras
69994e900a
Complete rsync.net account migration
...
New username; separate and longer account manager + storage passwords.
Also, have to use --remote-path=borg1 when interacting with rsync.net.
2021-11-06 19:50:31 +02:00
Kristian Klausen
7265225bcd
Regenerate PAT for archlinux-docker for new token format[1]
...
[1] https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/
2021-10-02 16:31:47 +02:00
Levente Polyak
d62f409642
borg: allow out of place calls by prepending the root directory
2021-08-18 00:39:03 +02:00