- enable_gzip: grafana listens on localhost, nginx handles compression
- admin_user: initial admin creation is disabled in our config
- strict_transport_security: the same header is set by nginx
- strict_transport_security_max_age_seconds: unused without the above
On asia.mirror.pkgbuild.com, 'smartctl -a --json $disk' has been exiting
with code 64. From smartctl(1) code 64 corresponds to "Bit 6: The device
error log contains records of errors". Since we're not interested in old
errors, ignore it.
This has become outdated (missing new dedicated servers) and its usage
can be replicated by checking if ansible_virtualization_role == "host".
For Ansible ad hoc commands, '!hcloud' can be used to the same effect.
Symlinking home.json to archive.json causes a duplicate, as both
dashboards have the same uid, and Grafana won't keep the dashboards
updated when there are duplicates[1]. Instead just change
default_home_dashboard_path to point to the archive.json dashboard.
[1] "dashboards provisioning provider has no database write permissions
because of duplicates"
We have offered a arch mail address, for support staff, for over a
year[1][2] and the only difference, is that support staff must only be
granted SSH access to mail.archlinux.org. SSH access to
homedir.archlinux.org is also allowed, but it is opt-in[3].
[1] 7287d6d3 ("archroles: Add support-staff group")
[2] 50c3e0f9 ("archusers: Support restricting users to specific hosts")
[3] e0e52552 ("Allow Alad access to homedir.archlinux.org")
Fix #372
WireGuard was setup to provide a internal network with confidentiality,
authenticity and integrity[1]. This migrate the remaining Prometheus
exporters to use the internal WireGuard network.
[1] 664deb67 ("WireGuard all hosts")
Fix #384
Expose aurweb RPC using goaurrpc to reduce the load on the server.
Additionally we can now geo-serve this ro reduce load and bandwidth.
Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>
Move the 'sshd_enable_includes' override to aur's host vars instead of
specifying it as part of playbooks/aur.archlinux.org. Otherwise, would
break the AUR's SSH auth if ssh.d/aurweb_config does not get included.
This commit brings in four new routes to nginx:
- /archives/metadata.git
- /archives/users.git
- /archives/pkgbases.git
- /archives/pkgnames.git
See https://gitlab.archlinux.org/archlinux/aurweb/-/blob/master/doc/git-archive.md
For now, we will be updating the repositories once every 10 minutes.
Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>
Co-signed by: Kevin Morris <kevr@0cost.org>
We were already ignoring fqcn-builtins which is now an alias for
fqcn[action-core] in ansible-lint 6.8.0. The latter started complaining
about fqcn[action] as well, so just opt out of all fqcn checks.
group_vars/all was enabling just the sshd jail so move this into the
fail2ban role defaults. patchwork, security and wiki were redefining
fail2ban_jails without deviating from the group_vars/all default and
can therefore be dropped.