DuckCorp Projects: Issueshttps://projects.duckcorp.org/https://projects.duckcorp.org/favicon.ico?16699090422023-08-17T08:45:40ZDuckCorp Projects
Redmine DuckCorp Infrastructure - Enhancement #787 (New): Add carddav/caldav SRV records on dc.ohttps://projects.duckcorp.org/issues/7872023-08-17T08:45:40ZMarc Dequènesduck@duckcorp.org
<p><a class="external" href="https://blog.fidelramos.net/software/nextcloud-caldav-carddav-dns">https://blog.fidelramos.net/software/nextcloud-caldav-carddav-dns</a></p> DuckCorp Infrastructure - Bug #783 (In Progress): Move Services out of Orfeohttps://projects.duckcorp.org/issues/7832023-07-09T13:51:58ZMarc Dequènesduck@duckcorp.org
Orfeo's RAID ! has one disk down, so let's move certain services out of it for now:
<ul>
<li>✅ PostgreSQL database -> Toushirou</li>
<li>✅ webmail -> Toushirou</li>
<li>✅ mailing-lists -> Toushirou</li>
<li>✅ XMPP -> Jinta</li>
<li>🔳 IRC services</li>
<li>🔳 (maybe, or later if things gets bad) NS1 & DDNS -> Toushirou</li>
</ul> DuckCorp Infrastructure - Enhancement #743 (In Progress): Switching to Prometheus?https://projects.duckcorp.org/issues/7432021-11-17T11:56:09ZMarc Dequènesduck@duckcorp.org
<p>With exporters gaining TLS support there is no obvious major problem left and we can do some testing.</p>
<p>I've started a new playbook and role to experiment and so far it is working well.</p>
Some though, in no order:
<ul>
<li>zabbix: hard to configure all in the slow UI</li>
<li>zabbix: certain features are slow to come (<a class="issue tracker-2 status-6 priority-3 priority-lowest closed" title="Enhancement: Maybe use LLD Stacking graph script in forum (Rejected)" href="https://projects.duckcorp.org/issues/495">#495</a>, native systemd support, LLD web checks…)</li>
<li>prometheus_ansible_role: no service autodetection anymore, I found very easy to map "features" to inventory groups or variables; it's now easy to manually disable or force-enable if needed</li>
<li>prometheus: <a href="https://github.com/prometheus/prometheus/issues/8543" class="external">nice feature coming to help split the config</a>, but in the meanwhile I might be able to use <em>file_sd_configs</em> and avoid passing inventory vars directly into the role to work around the problem</li>
<li>grafana: I would have preferred if grafana was packaged in Debian but in the end it's very handy to make use of their dashboard libraries and avoid spending hours and hours designing every little graph</li>
<li>prometheus: using textfiles collector can be an alternative to the lack of exporter or when it's not packaged (used for NTP/chrony)</li>
</ul>
What we have so far:
<ul>
<li>node basic and all the hardware goodies, temperature etc seem to be there too</li>
<li>poller stats</li>
<li>Bind</li>
<li>Postfix</li>
<li>Apache</li>
<li>PG</li>
<li>LXD</li>
<li>blackbox with checks of almost all public services endpoints, with TLS and protocol checks when possible too</li>
<li>Prosody but no grafana dashboard and the amount of stats are limited; there are additional modules called measure_* to complement but they are not packaged</li>
<li>MySQL</li>
<li>NTP</li>
<li>Nextcloud</li>
</ul>
I was able to setup several exporters and borrow various alerts from <a class="external" href="https://awesome-prometheus-alerts.grep.to/">https://awesome-prometheus-alerts.grep.to/</a> but even if we have more than before in certain areas I'd like to check if we're missing something important (compared to our Zabbix installation):
<ul>
<li><del>time sync is checked but NTPd stats are missing; there is an exporter but it is not packaged</del></li>
<li>no maps, but if that was cute that was also utterly useless</li>
<li>ProFTPd, but I'm not sure it's worth it now</li>
<li>SNMP checks for my internal switches, more out of curiosity</li>
<li>SNMP checks for my printer, but I don't use it very often so it's not critical</li>
<li>OpenLDAP stats, more out of curiosity</li>
<li><del>MDA, this is important</del></li>
<li><del>MySQL, also important</del></li>
<li><del>alerts via mail, IRC and XMPP</del></li>
</ul>
What I plan to look at:
<ul>
<li>[WIP] make the role generic and split it form our main repo (and use it at OSCI)</li>
<li><del>generation of alerter contacts and alert methods (Matrix, XMPP, Mail)</del></li>
<li><del>blackbox, maybe replace smokeping? add check for certs, DNSSEC etc</del></li>
<li>[WIP] grafana base config generation</li>
<li><del>MySQL exporter</del></li>
<li>SNMP for my internal switches</li>
<li>could we make certain graphs public? (like pings etc?)</li>
<li><del><a href="https://github.com/kumina/dovecot_exporter" class="external">Dovecot exporter</a>, but not packaged in Debian</del></li>
<li><del><a href="https://github.com/xperimental/nextcloud-exporter" class="external">Nextcloud exporter</a></del> backported and bumped to 0.5.0 for token auth support</li>
<li><a href="https://github.com/jaywink/matrix-alertmanager" class="external">Matrix alert hook</a>, but not packaged in Debian</li>
<li><a href="https://github.com/prometheus/node_exporter/issues/1136" class="external">node exporter maintainers do not want to add systemd service stats</a> but there is a <a href="https://github.com/povilasv/systemd_exporter" class="external">systemd exporter</a> that would help get per-service resource consumption stats</li>
<li>the IRC relay displays only limited info, no severity coloring, and sometimes disconnect and is unable to reconnect; <a href="https://gitlab.crans.org/esum/NinjaBot" class="external">NinjaBot</a> seems to be a nice alternative</li>
<li>SSH checks on non-standard port (currently Orthos and Nicecity checks only check the gateway…)</li>
</ul> DuckCorp Infrastructure - Bug #720 (In Progress): Bind9 KASP Migration Problemshttps://projects.duckcorp.org/issues/7202021-02-20T08:51:12ZMarc Dequènesduck@duckcorp.org
<p>This is the migration from the preliminary DNSSEC implementation called `dnssec-keymgr` to the integrated KASP scheduler with `dnssec-policy`.</p>
We encountered a few bugs or limitations (the later being expected improvements from the old system that are still dearly lacking):
<ul>
<li><a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958934" class="external">old apparmor profile in the way</a></li>
<li><del><a href="https://gitlab.isc.org/isc-projects/bind9/" class="external">does not properly import keys and states from old system</a></del>/issues/2404- fixed in 9.16.11</li>
<li><del><a href="https://gitlab.isc.org/isc-projects/bind9/" class="external">Migrating to dnssec-policy, DS is set to rumoured</a></del>/issues/2544- could not be reproduced upstream (just for reference)</li>
<li><del><a href="https://gitlab.isc.org/isc-projects/bind9/" class="external">rndc dnssec -rollover takes a <strong>very</strong> long time to be taken into account; not good for emergency rollover</a></del>/issues/2488 planned for 9.16.4 or 9.16.5-</li>
<li><a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/1126" class="external">implement check if the DS record has been published</a> (should be in 9.16.19)</li>
<li><del>automatic purge of old keys</del> <em>purge-keys</em> added in 9.16.13</li>
<li><del><a href="https://gitlab.isc.org/isc-projects/bind9/" class="external">NSEC3 RRs not maintained properly; we are not affected but that's bad</a></del>/issues/2498- fixed in 9.16.12</li>
<li><a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/1890" title="RFC 7344" class="external">new KSK submission hook; could be useful until registrars properly support CDS/CDNSKEY</a></li>
</ul>
Features we really need:
<ul>
<li><del>publishing of CDS/CDNSKEY</del> handled by KASP</li>
<li><del>automate using published CDS/CDNSKEY in parent zones we manage</del> created support with a crontab in the bind9 role</li>
<li>notify Bind when the DS is published/withdrawn: I guess we would need to make a script since it's probably gonna take some time before it's added upstream</li>
<li>automate using published CDS/CDNSKEY in parent zones we do not manage: currently Gandi, either with the old XMLRPC API or maybe change registrar</li>
<li>rewrite the rollover notification script for KASP (needed until all is automated and to check all is fine)</li>
</ul> DuckCorp Infrastructure - Bug #692 (New): Elwing cannot be unlocked remotelyhttps://projects.duckcorp.org/issues/6922020-04-12T15:28:35ZMarc Dequènesduck@duckcorp.org
<p>The server is not listening on SSH port as expected.</p> DuckCorp Infrastructure - Tracking #677 (New): roundcube/twofactor_gauthenticator: bug in 2FA QR ...https://projects.duckcorp.org/issues/6772019-09-21T08:52:57ZMarc Dequènesduck@duckcorp.org
<p><a class="external" href="https://github.com/alexandregz/twofactor_gauthenticator/issues/99">https://github.com/alexandregz/twofactor_gauthenticator/issues/99</a></p>
<p>According to the BR it is possible to get the QR code simply by switching back to the <em>Larry</em> theme temporarily.</p> DuckCorp Infrastructure - Enhancement #675 (In Progress): Publish DANE/TLSA records for Let's Enc...https://projects.duckcorp.org/issues/6752019-09-20T17:42:05ZMarc Dequènesduck@duckcorp.orgDuckCorp Infrastructure - Enhancement #673 (New): Dovecot submission serverhttps://projects.duckcorp.org/issues/6732019-09-09T06:57:36ZMarc Dequènesduck@duckcorp.org
<p>Would be nice to enable BURL/URLAUTH extensions and possibly other things in the future (like SIEVE filtering for outgoing messages).</p>
<p>I saw fixes in recent releases, so I need to assess if it can be put in production. When it's in place we can think about extra features.</p> DuckCorp Infrastructure - Enhancement #647 (In Progress): Patched softwares, how to handle them?https://projects.duckcorp.org/issues/6472019-04-21T09:54:52ZMarc Dequènesduck@duckcorp.org
The following files were patched:
<ul>
<li>Jinta:
<ul>
<li>/usr/lib/python3/dist-packages/wikitrans/wikimarkup.py: fix for dico</li>
</ul>
</li>
<li>Orfeo:
<ul>
<li>/usr/lib/ruby/vendor_ruby/mail/fields/content_type_field.rb: fix for cyborghood_postman</li>
<li>/var/lib/aspell/br.{compat,rws}: affected by <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690216" class="external">Debian#690216</a></li>
<li>/usr/lib/python3/dist-packages/postorius/templates/postorius/lists/held_messages.html: fix for held messages popup not visible</li>
</ul>
</li>
<li>Thorfinn:
<ul>
<li>/var/lib/aspell/br.{compat,rws}: affected by <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690216" class="external">Debian#690216</a></li>
</ul>
</li>
<li>Toushirou:
<ul>
<li>/usr/share/redmine/app/controllers/activities_controller.rb: missing API to get activities on the website</li>
<li>/usr/share/redmine/lib/redmine/themes.rb: per-project theme</li>
<li>/var/lib/aspell/br.{compat,rws}: affected by <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690216" class="external">Debian#690216</a></li>
<li>/usr/share/redmine/app/helpers/application_helper.rb: <a class="issue tracker-6 status-3 priority-4 priority-default closed" title="Tracking: redmine: disable usage of non-free gravatar service (Resolved)" href="https://projects.duckcorp.org/issues/731">#731</a></li>
<li>/usr/share/redmine/lib/plugins/gravatar/lib/gravatar.rb: <a class="issue tracker-6 status-3 priority-4 priority-default closed" title="Tracking: redmine: disable usage of non-free gravatar service (Resolved)" href="https://projects.duckcorp.org/issues/731">#731</a></li>
</ul></li>
</ul> DuckCorp Infrastructure - Enhancement #602 (In Progress): Deploy Content Security Policy (CSP) an...https://projects.duckcorp.org/issues/6022017-09-30T07:02:53ZMarc Dequènesduck@duckcorp.org
<p>We should have a look at this: <a class="external" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP</a></p>
<p>Full specification: <a class="external" href="https://www.w3.org/TR/CSP/">https://www.w3.org/TR/CSP/</a></p> DuckCorp Infrastructure - Bug #594 (Blocked): slap_global_control: unrecognized controlhttps://projects.duckcorp.org/issues/5942017-09-21T16:51:56ZMarc Dequènesduck@duckcorp.org
The following controls are not recognized, so we should either support them or track and reconfigure the clients asking for them:
<ul>
<li>1.3.6.1.4.1.4203.666.5.16: slapo-deref</li>
<li>1.3.6.1.4.1.42.2.27.8.5.1: password policy module</li>
</ul> DuckCorp Infrastructure - Enhancement #564 (In Progress): Unused accounts spring cleanuphttps://projects.duckcorp.org/issues/5642017-06-24T03:51:16ZMarc Dequènesduck@duckcorp.org
<p>We probably have several unused accounts, so let's check usage, contact users, and adapt or close account as needed.</p>
<p>Sub-tasks are to track specific resources usage, which would allow for per-service cleanup and help account-level cleanup.</p>
<p>It would be nice if the per-service reports could be parsable in order to generate an aggregate report for admin.</p> DuckCorp Infrastructure - Bug #550 (In Progress): Internet is slow (and probably ever was)https://projects.duckcorp.org/issues/5502017-06-13T08:21:39ZMarc Dequènesduck@duckcorp.org
<pre>
# speedtest-cli
Retrieving speedtest.net configuration...
Retrieving speedtest.net server list...
Testing from OCN (114.158.197.252)...
Selecting best server based on latency...
Hosted by h3zjp (Nerima) [14.71 km]: 13.441 ms
Testing download speed........................................
Download: 247.74 Mbits/s
Testing upload speed..................................................
Upload: 123.57 Mbits/s
</pre><br /><pre>
# speedtest-cli
Retrieving speedtest.net configuration...
Retrieving speedtest.net server list...
Testing from OCN (114.158.197.252)...
Selecting best server based on latency...
Hosted by TB (Tokyo) [8.86 km]: 6.79 ms
Testing download speed........................................
Download: 204.83 Mbits/s
Testing upload speed..................................................
Upload: 183.24 Mbits/s
</pre>
<p>Google speedtest seems to confirm.</p> mkcert - Review #542 (In Progress): mkcert: allow to specify CONFDIRhttps://projects.duckcorp.org/issues/5422017-05-14T21:57:33ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Please, could you review branches listed below ?</p>
<ul>
<li><code>Allow-to-define-CONFDIR</code></li>
<li><code>Key-size-synchronize-default-values-sample-values</code></li>
<li><code>Typo</code></li>
<li><code>improve-reliability-enable-some-checks</code></li>
<li><code>Handle-when-mkcert-isn-t-in-PATH</code></li>
<li><code>directory-might-not-exists</code></li>
</ul>
<p>These branches are available here <code>https://vcs-git.duckcorp.org/people/pilou/mkcert.git</code>.</p> DuckCorp Infrastructure - Bug #531 (In Progress): Logcheck on Elwing seems unable to send mailhttps://projects.duckcorp.org/issues/5312017-05-02T15:31:47ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>On <code>Orfeo</code>, in <code>/var/log/mail.log</code><br /><pre>
May 1 12:55:34 orfeo postfix/smtpd[14064]: NOQUEUE: reject: RCPT from unknown[2400:4030:9f9b:e901::1]: 450 4.7.1 Client host rejected: cannot find your hostname, [2400:4030:9f9b:e901::1]; from=<daemon@hq.duckcorp.org> to=<root@hq.duckcorp.org> proto=ESMTP helo=<Elwing.hq.duckcorp.org>
[...]
May 1 12:55:34 orfeo postfix/smtpd[19450]: NOQUEUE: reject: RCPT from unknown[2400:4030:9f9b:e901::1]: 450 4.7.1 Client host rejected: cannot find your hostname, [2400:4030:9f9b:e901::1]; from=<duck@hq.duckcorp.org> to=<duck@hq.duckcorp.org> proto=ESMTP helo=<Elwing.hq.duckcorp.org>
</pre></p>