ai3 issueshttps://git.autistici.org/groups/ai3/-/issues2024-03-14T09:36:11Zhttps://git.autistici.org/ai3/float/-/issues/148X509 PKI CA renewal is broken2024-03-14T09:36:11ZaleX509 PKI CA renewal is brokenWhen the PKI X509 CA (used for internal mTLS) expires, float will *not* re-generate all mTLS certificates.
This can be currently mitigated by running float with "-e force_renew_credentials=true" manually, which will forcefully regenerat...When the PKI X509 CA (used for internal mTLS) expires, float will *not* re-generate all mTLS certificates.
This can be currently mitigated by running float with "-e force_renew_credentials=true" manually, which will forcefully regenerate all mTLS certificates (and restart the associated services/containers).https://git.autistici.org/ai3/docker/rt4/-/issues/17problemi con sso2024-01-22T17:52:11Zputroproblemi con ssose ci si mette piu' di un minuto a rispondere a un ticket poi da errore
nei log si trova
```sso: validation error: ticket expired```
come errore di apache,
e poi l'errore di RT:
```No ticket specified```se ci si mette piu' di un minuto a rispondere a un ticket poi da errore
nei log si trova
```sso: validation error: ticket expired```
come errore di apache,
e poi l'errore di RT:
```No ticket specified```https://git.autistici.org/ai3/tools/ssh-key-wtmp/-/issues/1Dependency Dashboard2024-03-05T09:29:23ZrenovateDependency DashboardThis issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
This repository currently has no open or pending branches.
## Detect...This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
This repository currently has no open or pending branches.
## Detected dependencies
<details><summary>gomod</summary>
<blockquote>
<details><summary>go.mod</summary>
- `go 1.19`
- `git.autistici.org/ai3/go-common v0.0.0-20230816213645-b3aa3fb514d6@b3aa3fb514d6`
- `github.com/oschwald/maxminddb-golang v1.12.0`
- `golang.org/x/crypto v0.21.0`
</details>
</blockquote>
</details>https://git.autistici.org/ai3/float/-/issues/146When multiple services on the same host use the same container image, only on...2023-11-13T13:53:33ZaleWhen multiple services on the same host use the same container image, only one gets restarted on updateLikely a deduping issue with the Ansible task that calls float-pull-image?Likely a deduping issue with the Ansible task that calls float-pull-image?https://git.autistici.org/ai3/tools/admin-dashboard/-/issues/1Dependency Dashboard2024-02-27T20:26:09ZrenovateDependency DashboardThis issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
This repository currently has no open or pending branches.
## Detect...This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
This repository currently has no open or pending branches.
## Detected dependencies
<details><summary>dockerfile</summary>
<blockquote>
<details><summary>Dockerfile</summary>
- `golang 1.22`
</details>
</blockquote>
</details>
<details><summary>npm</summary>
<blockquote>
<details><summary>package.json</summary>
- `css-loader 6.10.0`
- `extract-loader 5.1.0`
- `html-webpack-plugin 5.6.0`
- `mini-css-extract-plugin 2.8.1`
- `prometheus-query 3.4.0`
- `purgecss-webpack-plugin 5.0.0`
- `raw-loader 4.0.2`
- `webpack-subresource-integrity 5.1.0`
</details>
</blockquote>
</details>https://git.autistici.org/ai3/config/-/issues/8ARC support2023-09-25T09:06:11ZaleARC support[ARC](https://www.rfc-editor.org/rfc/rfc8617) is a thing now apparently and it is considered by large providers in antispam scoring, so it would be smart to support it.
There are two parts to it, Postfix should do ARC signing, and Mailm...[ARC](https://www.rfc-editor.org/rfc/rfc8617) is a thing now apparently and it is considered by large providers in antispam scoring, so it would be smart to support it.
There are two parts to it, Postfix should do ARC signing, and Mailman should try to avoid breaking it.
For Postfix, the point is to add Authentication-Results headers to all outbound messages (via smtp-auth or other means) to bootstrap the ARC verification chain, and then to have them signed pretty much in the same place where we do DKIM signatures.
The dkimpy library is able to do ARC signatures, but the dkimpy-milter package in Debian is not prepared to do so, although adding the functionality seems easy.
A plan:
* [ ] switch from OpenDKIM to dkimpy-milter
* [ ] make Postfix add Authentication-Results headers to emails sent by our users
* [ ] fork dkimpy-milter to add ARC support
Resources:
* [ARC official resources](http://arc-spec.org/?page_id=79) (incl. Mailman references)https://git.autistici.org/ai3/go-common/-/issues/3Switch the pwhash default to argon2id2023-08-22T09:51:36ZaleSwitch the pwhash default to argon2idSwitching the default hasher to Argon2Std would allow us to implement #2 at some point...Switching the default hasher to Argon2Std would allow us to implement #2 at some point...https://git.autistici.org/ai3/go-common/-/issues/2Replace the pwhash package with github.com/simia-tech/crypt2023-08-22T09:51:36ZaleReplace the pwhash package with github.com/simia-tech/cryptFortunately it seems the argon2i format is compatibleFortunately it seems the argon2i format is compatiblehttps://git.autistici.org/ai3/float/-/issues/144Replace Elasticsearch with Clickhouse2023-08-22T07:29:16ZaleReplace Elasticsearch with ClickhouseClickhouse might be more suited to the low-resource use case and might generally scale better to the high-resources one - we'd lose Kibana, but there is not much there that can't be replaced by a simpler dashboarding / query UI.Clickhouse might be more suited to the low-resource use case and might generally scale better to the high-resources one - we'd lose Kibana, but there is not much there that can't be replaced by a simpler dashboarding / query UI.https://git.autistici.org/ai3/float/-/issues/143Model data control flow in logs2023-08-22T07:25:55ZaleModel data control flow in logsWe're using syslog as the generalized transport for asynchronous messages, at least those that are expected to end up in a searchable database somewhere -- so it would be nice to be able to model these data flows explicitly (switching on...We're using syslog as the generalized transport for asynchronous messages, at least those that are expected to end up in a searchable database somewhere -- so it would be nice to be able to model these data flows explicitly (switching on *log_type* attribute, for instance?) and describe them in a way that float would understand, and configure the system accordingly.
In line with this thinking, it would be nice to be able to set up *log consumers* that are not searchable databases, for example for the purpose of *log watching* (for periodic / real-time analysis, or alerting)...https://git.autistici.org/ai3/tools/webauthn-cred/-/issues/1Dependency Dashboard2024-03-05T09:30:20ZrenovateDependency DashboardThis issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
## Open
These updates have all been created already. Click a checkbo...This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
## Open
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
- [ ] <!-- rebase-branch=renovate/github.com-fxamacker-cbor-v2-2.x -->[Update module github.com/fxamacker/cbor/v2 to v2.6.0](!8)
## Detected dependencies
<details><summary>gitlabci</summary>
<blockquote>
<details><summary>.gitlab-ci.yml</summary>
</details>
</blockquote>
</details>
<details><summary>gomod</summary>
<blockquote>
<details><summary>go.mod</summary>
- `go 1.19`
- `github.com/duo-labs/webauthn v0.0.0-20221205164246-ebaf9b74c6ec@ebaf9b74c6ec`
- `github.com/fxamacker/cbor/v2 v2.5.0`
- `github.com/keys-pub/go-libfido2 v1.5.3`
- `golang.org/x/term v0.18.0`
</details>
</blockquote>
</details>https://git.autistici.org/ai3/tools/msgflow/-/issues/1Dependency Dashboard2023-08-17T20:29:02ZrenovateDependency DashboardThis issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
This repository currently has no open or pending branches.
## Detect...This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
This repository currently has no open or pending branches.
## Detected dependencies
<details><summary>gomod</summary>
<blockquote>
<details><summary>go.mod</summary>
- `go 1.15`
- `github.com/olivere/elastic/v7 v7.0.32`
</details>
</blockquote>
</details>https://git.autistici.org/ai3/tools/cgroups-exporter/-/issues/3Dependency Dashboard2024-02-17T07:46:00ZrenovateDependency DashboardThis issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
---
> ⚠ **Warning**
>
> Renovate failed to look up the following d...This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
---
> ⚠ **Warning**
>
> Renovate failed to look up the following dependencies: `Could not determine new digest for update (go package github.com/prometheus/client_golang)`.
>
> Files affected: `go.mod`
---
This repository currently has no open or pending branches.
## Detected dependencies
<details><summary>gomod</summary>
<blockquote>
<details><summary>go.mod</summary>
- `go 1.15`
- `github.com/moby/sys/mountinfo v0.7.1`
- `github.com/prometheus/client_golang v0.9.3-0.20190412003733-5a3ec6a883d3@5a3ec6a883d3`
- `github.com/tklauser/go-sysconf v0.3.13`
</details>
</blockquote>
</details>https://git.autistici.org/ai3/docker/rsyslog/-/issues/1rsyslog 8.2304.0 enters an infinite loop2023-05-30T10:00:59Zalersyslog 8.2304.0 enters an infinite loopIt just hangs on a futex() callIt just hangs on a futex() callhttps://git.autistici.org/ai3/float/-/issues/142Tinc does not delete old host keys2023-05-27T16:58:32ZaleTinc does not delete old host keysIf a host is removed from the inventory, float will not remove its tinc host configuration file, which might cause conflicts in case of IP re-use etc.If a host is removed from the inventory, float will not remove its tinc host configuration file, which might cause conflicts in case of IP re-use etc.https://git.autistici.org/ai3/float/-/issues/141Replace "zonetool" with "dnscontrol"2023-03-07T09:10:52ZaleReplace "zonetool" with "dnscontrol"https://github.com/StackExchange/dnscontrolhttps://github.com/StackExchange/dnscontrolhttps://git.autistici.org/ai3/tools/wig/-/issues/1Dependency Dashboard2024-03-26T03:29:31ZrenovateDependency DashboardThis issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
## Open
These updates have all been created already. Click a checkbo...This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
## Open
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
- [ ] <!-- rebase-branch=renovate/golang.zx2c4.com-wireguard-wgctrl-digest -->[Update golang.zx2c4.com/wireguard/wgctrl digest to 925a1e7](!2)
- [ ] <!-- rebase-branch=renovate/github.com-mattn-go-sqlite3-1.x -->[Update module github.com/mattn/go-sqlite3 to v1.14.22](!9)
- [ ] <!-- rebase-branch=renovate/github.com-cenkalti-backoff-v4-4.x -->[Update module github.com/cenkalti/backoff/v4 to v4.3.0](!4)
- [ ] <!-- rebase-branch=renovate/github.com-google-go-cmp-0.x -->[Update module github.com/google/go-cmp to v0.6.0](!11)
- [ ] <!-- rebase-branch=renovate/github.com-oschwald-maxminddb-golang-1.x -->[Update module github.com/oschwald/maxminddb-golang to v1.12.0](!10)
- [ ] <!-- rebase-branch=renovate/github.com-prometheus-client_golang-1.x -->[Update module github.com/prometheus/client_golang to v1.19.0](!7)
- [ ] <!-- rebase-branch=renovate/golang.org-x-sync-0.x -->[Update module golang.org/x/sync to v0.6.0](!8)
- [ ] <!-- rebase-all-open-prs -->**Click on this checkbox to rebase all open MRs at once**
## Detected dependencies
<details><summary>gitlabci</summary>
<blockquote>
<details><summary>.gitlab-ci.yml</summary>
</details>
</blockquote>
</details>
<details><summary>gomod</summary>
<blockquote>
<details><summary>go.mod</summary>
- `go 1.19`
- `github.com/cenkalti/backoff/v4 v4.1.3`
- `github.com/google/go-cmp v0.5.9`
- `github.com/google/subcommands v1.2.0`
- `github.com/jmoiron/sqlx v1.3.5`
- `github.com/mattn/go-sqlite3 v1.14.16`
- `github.com/oschwald/maxminddb-golang v1.10.0`
- `github.com/prometheus/client_golang v1.14.0`
- `github.com/yl2chen/cidranger v1.0.2`
- `golang.org/x/sync v0.1.0`
- `golang.zx2c4.com/wireguard/wgctrl v0.0.0-20221104135756-97bc4ad4a1cb@97bc4ad4a1cb`
</details>
</blockquote>
</details>https://git.autistici.org/ai3/tools/vmgmt/-/issues/1Debian-installer stateful DHCPv62023-02-18T10:02:25ZaleDebian-installer stateful DHCPv6With our current setup, the debian-installer can't do stateful DHCPv6 properly. Symptoms:
* d-i obtains an address without issue (though we still have to wait for DHCPv4 to time out)
* when *netcfg* exits, it kills *dhcp6c*, which then ...With our current setup, the debian-installer can't do stateful DHCPv6 properly. Symptoms:
* d-i obtains an address without issue (though we still have to wait for DHCPv4 to time out)
* when *netcfg* exits, it kills *dhcp6c*, which then **releases the DHCP lease and removes the address from the interface**
* in theory this should not happen and dhcp6c should be demonized according to https://salsa.debian.org/installer-team/netcfg/-/blob/master/autoconfig.c#L129
So, after the network autoconfig stage is done, this leaves the VM with the interface in state UP, with routing set up, and resolv.conf pointing at the DNS server, but no external connectivity beyond the gateway, and the installation can only complete if we're using a HTTP proxy on the gateway host.https://git.autistici.org/ai3/docker/s6-base/-/issues/2Upgrade to s6-overlay v32023-05-18T18:24:54ZaleUpgrade to s6-overlay v3There are some important differences, although compatibility with v2 is mostly preserved. But given our customizations, we need to pay attention:
https://github.com/just-containers/s6-overlay/blob/master/MOVING-TO-V3.mdThere are some important differences, although compatibility with v2 is mostly preserved. But given our customizations, we need to pay attention:
https://github.com/just-containers/s6-overlay/blob/master/MOVING-TO-V3.mdhttps://git.autistici.org/ai3/float/-/issues/139Add Crowdsec support2023-03-07T09:11:02ZaleAdd Crowdsec supportThe functionality of [crowdsec](https://www.crowdsec.net/) seems very interesting for the float reverse proxy, in particular the possibility to implement "milder" ban actions for rate limiting such as requiring a captcha (better than out...The functionality of [crowdsec](https://www.crowdsec.net/) seems very interesting for the float reverse proxy, in particular the possibility to implement "milder" ban actions for rate limiting such as requiring a captcha (better than outright IP blocks).