nullglob + loop so the service doesn't fail if there are no
/home/*/.cache/offload-build directories (slightly less efficient
that one find call, but seems safer also in regards to ARG_MAX)
-mindepth 1 so it doesn't try to delete .cache/offload-build for users
without any recent builds
no verbose output from rm command, otherwise we'll get 500k log lines
the first time it runs (calculated around 75G of old tmp directories)
Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>
Co-authored-by: Evangelos Foutras <evangelos@foutras.com>
This is already done for the 'sudo' role, but we also have a few more
sudoers files which currently go in unverified.
Signed-off-by: Christian Heusel <christian@heusel.eu>
Move backup-related variable defaults from the database roles into the
borg_client role. Also check group membership to guard installation of
database backup helper scripts.
Due to the "systemctl is-active foo && backup-foo || true" shorthand,
errors during database dumping were being ignored. Change the MariaDB
section to also be wrapped in a proper if statement. Finally, get rid
of "|| true" silencing statements + enable errexit in helper scripts.
This may be interesting for our mirror administrators and mirror owners.
I tried backfilling the data, but was unsuccessful, due to a bug[1]. We
may try again if/when the bug is fixed.
[1] https://github.com/prometheus/prometheus/issues/13747
Up until now the captcha has depended on the exact output of the pacman
version command which could lead to multiple problematic scenarios:
a) User uses testing repos (user pacman newer)
b) Server is not instantly updated (user pacman newer)
c) User system is not updated (user pacman older)
Circumvent this problem by switching to a time based captcha instead.
Signed-off-by: Christian Heusel <christian@heusel.eu>
The systemd environment variables can be read by anyone, so move the
secret to the configuration file, which can only be read by root and the
hedgedoc user.
Fix #562
The firewalld direct interface is deprecated and will be removed in a
future release[1]. Recently IPv4 connectivity inside docker containers
on our runners broke and after some troubleshooting, the issue was
pinpointed to the start of the fail2ban service. We also had issues in
the past where sometimes firewalld had to be restarted after boot before
network connectivity worked in libvirt on our runners.
The issuse may be due to a bug in the way fail2ban use the direct
interface, a bug in firewalld or a combination thereof. Let's just avoid
the direct interface altogether and create a clean separation, with
firewalld handling the blocking and fail2ban maintaining the ipset.
[1] https://firewalld.org/documentation/man-pages/firewalld.direct.html
When there was an error i.e. with the image verification the loopdev
variable was unbound in the cleanup function. We fix this by defining
the variable as empty.
Signed-off-by: Christian Heusel <christian@heusel.eu>
Related to #550
Related to #551
Fixes: 4e5550a8 ("Decommission bugs.archlinux.org and replace it with a static copy[1]")
Signed-off-by: Christian Heusel <christian@heusel.eu>