Hetzner DNS has been delaying many responses for 5 seconds, causing
outgoing federation work to pile up, almost running into OOM before we
noticed.
I don't know if were being throttled because federation makes a *lot* of
requests. Anyway, using Cloudflare DNS seems to solve it.
Enable DNSOverTLS for this because we can.
Add a default rate limit for 20 req/s for the uwsgi endpoint and
automatically ban users who reach this limit. The nginx-limit-req rule
does not ban users who reach the rss limit as these are not likely DoS
attempts.
This is meant as a internal authenticated and encrypted network which we
can use for internal services, we don't want to expose to the internet
or when encryption is desired but not easily implementable.
Ansible complains if the fail2ban_jails dictionary is missing the
nginx_limit_req key. Adding this as default failse.
Bugfix from: e5773374
Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>
For spam checking it is recommend to use our own recursive resolver[1]
to avoid rate limiting by using a public resolver.
unbound is already installed but the system wasn't configured to use it.
[1] https://rspamd.com/doc/faq.html#resolver-setup
Previously we configured our network conf to all interfaces, which
shouldn't be done as not all our routed to the internet and this causes
systemd-network-online target to fail.
This adds a collaborative markdown editor as newly offered service which
is available via login for all Arch Linux Staff with an option to allow
anonymous edits by users (not default). Users are managed via keycloak
and require the Staff role to be allowed in, non staff keycloak users
currently will receive an internal server error due to an upstream
issue.
The former approach to export a maildir and iterate over it with a
script broke when the mail server and the web server got on their
own hosts. This will use IMAP IDLE to check for new mails and pass
them instantly to the djange manage.py script without storing the mail
locally.
Added a host_vars file for the new wiki.archlinux.org machine, with the required
variables, specially the memcached_socket, for the prometheus exporter.
Added a host_var file for archlinux.org as well as the playbook for archlinux.org
machine. It it's a stripped down version of apollo's playbook, only containing the roles
pertaining archweb.
Do not use asterisk on network devices to prevent IP address collisions
on networks. Also use the right network mask for the assigned network.
For runner1 we need to ignore RAs since those routes don't work.
To simplify the archive role, split it up in the web serving part for
the archive-mirrors, gemini and keep the archive role for only the
archive operation. This simplifies the new role as only two lines are
required to setup the the archive mirror website.