70d1910047
Update archmanweb to v1.3
2021-09-02 21:30:25 +02:00
6a11db2f20
Use wireguard for db connections to archlinux.org
...
Fix #177
2021-08-24 21:08:08 +02:00
5ff9037832
Do not reboot gemini if there are logged on users
...
This is done to avoid killing db-update and related processes.
2021-08-23 21:15:49 +03:00
4986190a69
Skip rebooting if package builds are running
2021-08-23 21:15:49 +03:00
485e26bb53
Wait for svntogit before rebooting after upgrade
2021-08-22 19:46:40 +03:00
19084fe336
Abort the play if any hosts fail to upgrade
2021-08-22 19:46:40 +03:00
7605e7ee78
Use serial = 1 for servers without rescue shell
2021-08-22 19:46:39 +03:00
871f9a208e
Do rolling upgrades in batches of 20%
2021-08-22 19:46:39 +03:00
55199ad75a
Update archlinux-keyring before full system upgrade
2021-08-22 19:46:39 +03:00
0bc7a762bf
upgrade-servers: Don't reboot if no upgrades occurred
2021-08-22 19:46:39 +03:00
ad14ad7db8
Add simple playbook task for upgrading servers
...
We want to treat our servers as cattle; hopefully when this is fleshed
out a bit more, it can accomplish the job without too many casualties.
2021-08-22 19:46:39 +03:00
5a88a31374
fluxbb: Speed up search and increase buffer pool
2021-08-19 03:48:53 +03:00
6534413cf3
mariadb: Tweak query cache settings
...
We used to set query_cache_type to 0 in the default settings but we were
also setting query_cache_size to a non-zero/non-default value, which was
in turn re-enabling the query cache. Update the configuration to reflect
the actual cache state and make sure query_cache_size is set to zero for
the "query_cache_type = 0" case.
Now that the setting controls the real state of the query cache, disable
it for bbs.archlinux.org; its hit rate is small compared to insert rate.
2021-08-18 19:56:50 +03:00
de7582913c
mariadb: Move two common variables out of playbooks
...
Default query_cache_type to 0 and innodb_file_per_table to true.
2021-08-18 03:07:12 +03:00
481033af57
matrix: Update synapse to 1.40.0
2021-08-10 21:49:51 +02:00
2304dc5caa
Split the postfix role into a role for mail.a.o and the clients
...
The role for the clients is named postfix_null (per [1]) and it's much
simpler and cleaner than the postfix role. I hope can cleanup the
postfix role at a later date.
[1] http://www.postfix.org/STANDARD_CONFIGURATION_README.html#null_client
2021-07-16 20:02:05 +02:00
db2a1bf348
Restrict the users on mail.a.o to the passwd command
...
The users are only meant as a way to change the mail password and
setting up forwarding (~/.forward), the latter will be handled by the
DevOps team now.
2021-07-16 01:48:14 +00:00
cbe8eab0ad
Add fail2ban to all-hosts-basic playbook
2021-07-12 17:24:01 +02:00
664deb67ab
WireGuard all hosts
...
This is meant as a internal authenticated and encrypted network which we
can use for internal services, we don't want to expose to the internet
or when encryption is desired but not easily implementable.
2021-07-06 20:58:15 +00:00
e4ea994c35
Add missing firewalld role
2021-07-05 22:37:48 +02:00
79f7d59910
Goodbye luna
...
https://lists.archlinux.org/pipermail/arch-dev-public/2021-July/030471.html
Fix #86
2021-07-04 12:46:01 +00:00
06d4826aac
Make the lists.al.org VPS the new lists server
...
Fix #356
2021-06-30 09:30:31 +00:00
bc1c5fe614
Add mailman role for the new lists.al.org machine
...
The DNS is still pointing to luna.
2021-06-30 09:30:31 +00:00
41c5a5e26c
Add initial playbook for lists.archlinux.org
...
nginx, certbot, postfix and mailman are still missing and the DNS is
still pointing to luna.
2021-06-30 09:30:31 +00:00
c6e740b84a
rspamd: Don't hardcode the dkim signing domain
...
We want to use rspamd for lists.al.org at some point, so we can't
hardcode the domain to archlinux.org.
2021-06-30 09:30:31 +00:00
3fa976c83e
Update archmanweb to v1.2
...
Co-authored-by: Kristian Klausen <kristian@klausen.dk>
2021-06-15 02:40:51 +02:00
652185f380
matrix: Retune memory use a bit
...
Give more memory to the apps and less to postgres.
2021-06-01 18:44:21 +02:00
bab8e408fd
Add missing fail2ban role to md.archlinux.org
2021-05-16 13:54:34 +02:00
b0793ac561
grafana: Add anonymous access for dashboards.al.org
2021-05-13 23:28:04 +02:00
e9f7c97088
prometheus: Add receive only mode and remote_write metrics to dashboards.al.org
2021-05-13 23:28:04 +02:00
103bbdec41
Split alertmanager into its own role
2021-05-13 23:28:04 +02:00
d2b110d250
Add dashboards.archlinux.org for public Grafana dashboards
...
Co-authored-by: Kristian Klausen <kristian@klausen.dk>
2021-05-13 23:28:01 +02:00
47d4f0801f
install_arch: Update bootstrap_version to 2021.04.01
2021-04-30 18:52:34 +02:00
bdd538ecd7
Use unbound for rspamd DNS resolving
...
To not run into rate-limits when resolving DNS records from rspamd, use
our own local recursive resolver.
2021-04-22 21:03:30 +02:00
89a98702bd
Remove arch32 mirror role
...
We no longer mirror arch32 on our servers and this role is currently
broken.
2021-04-12 18:47:10 +02:00
7235e726d6
Implement centralized logging
...
Fix #263
2021-04-08 20:33:43 +02:00
b941a133fb
Remove unbound from most systems
...
unbound is only used if dns_servers is explicit set to 127.0.0.1, which
isn't the case for any of these systems.
Fix #234
2021-04-07 20:01:39 +00:00
a2ca65b5aa
Bump pacman version
2021-03-19 13:51:46 +01:00
10bdd3389c
Add missing prometheus_exporters task to accounts.archlinux.org
2021-03-02 17:39:49 +01:00
35df0be3a0
Add new role which sync arch-boxes images to the repos
...
Fix #272
2021-02-25 23:58:04 +01:00
fabccd0f61
"Move" NM connectivity check file to a subdomain
...
The file should not be on the main domain as it adds unnecessary
complexity to the archweb role and there is a bigger chance that we
unintentionally break connectivity checking (which has happened in the
past[1][2]).
This doesn't remove the file from the main domain[3], as we need to ship
a updated NetworkManager package first.
[1] https://www.reddit.com/r/archlinux/comments/keai0g/does_anyone_know_if_this_is_normal/
[2] https://www.reddit.com/r/gnome/comments/ke9ytm/network_manager_popup/
[3] http://www.archlinux.org/check_network_status.txt
Fix #239
2021-02-25 20:23:56 +01:00
d6320b7548
Switch the archwiki to PHP 7
...
As mediawiki does not support PHP 8 yet in the current LTS release, we
have to stay with PHP 7.
2021-02-19 18:28:14 +01:00
4112bdf9fd
Make ansible-lint happy
...
yaml: truthy value should be one of [false, true] (truthy)
yaml: wrong indentation: expected 4 but found 2 (indentation)
yaml: too few spaces before comment (comments)
yaml: missing starting space in comment (comments)
yaml: too many blank lines (1 > 0) (empty-lines)
yaml: too many spaces after colon (colons)
yaml: comment not indented like content (comments-indentation)
yaml: no new line character at the end of file (new-line-at-end-of-file)
load-failure: Failed to load or parse file
parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.
2021-02-14 14:22:05 +01:00
230cc79a89
Migrate bugtracker to php7 package
...
As flyspray does not support PHP 8 as of yet, transition to the php7
package by simply introducing a new php7_fpm role.
2021-02-14 12:44:00 +01:00
3124cfd933
Add hedgedoc as new service
...
This adds a collaborative markdown editor as newly offered service which
is available via login for all Arch Linux Staff with an option to allow
anonymous edits by users (not default). Users are managed via keycloak
and require the Staff role to be allowed in, non staff keycloak users
currently will receive an internal server error due to an upstream
issue.
2021-02-01 21:59:30 +01:00
44f497e52b
Remove dragon ( fixes #267 )
2021-01-31 13:54:14 +01:00
83cbb36866
Add build.archlinux.org
2021-01-26 18:06:09 +01:00
6d813e52fb
Merge sogrep (createlinks script) into dbscripts
...
Databases used by sogrep are fetched by syncrepo from gemini, no point
in duplicating this work; consider this to be part of roles/dbscripts.
2021-01-24 09:47:04 +02:00
ca4a79d982
Deploy archmanweb v1.1
2021-01-23 21:16:36 +00:00
ed1ba0fbc5
gitlab: Fix address binding
...
GitLab becomes unhappy if it can't poll localhost.
2021-01-23 22:06:02 +01:00
Jakub Klinkovský
Kristian Klausen
Evangelos Foutras
Jan Alexander Steffens (heftig)
Jelle van der Waa
Jakub Klinkovský
Sven-Hendrik Haase