ai3 issueshttps://git.autistici.org/groups/ai3/-/issues2024-03-14T09:36:11Zhttps://git.autistici.org/ai3/float/-/issues/148X509 PKI CA renewal is broken2024-03-14T09:36:11ZaleX509 PKI CA renewal is brokenWhen the PKI X509 CA (used for internal mTLS) expires, float will *not* re-generate all mTLS certificates.
This can be currently mitigated by running float with "-e force_renew_credentials=true" manually, which will forcefully regenerat...When the PKI X509 CA (used for internal mTLS) expires, float will *not* re-generate all mTLS certificates.
This can be currently mitigated by running float with "-e force_renew_credentials=true" manually, which will forcefully regenerate all mTLS certificates (and restart the associated services/containers).https://git.autistici.org/ai3/docker/rt4/-/issues/17problemi con sso2024-01-22T17:52:11Zputroproblemi con ssose ci si mette piu' di un minuto a rispondere a un ticket poi da errore
nei log si trova
```sso: validation error: ticket expired```
come errore di apache,
e poi l'errore di RT:
```No ticket specified```se ci si mette piu' di un minuto a rispondere a un ticket poi da errore
nei log si trova
```sso: validation error: ticket expired```
come errore di apache,
e poi l'errore di RT:
```No ticket specified```https://git.autistici.org/ai3/tools/ssh-key-wtmp/-/issues/1Dependency Dashboard2024-03-05T09:29:23ZrenovateDependency DashboardThis issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
This repository currently has no open or pending branches.
## Detect...This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
This repository currently has no open or pending branches.
## Detected dependencies
<details><summary>gomod</summary>
<blockquote>
<details><summary>go.mod</summary>
- `go 1.19`
- `git.autistici.org/ai3/go-common v0.0.0-20230816213645-b3aa3fb514d6@b3aa3fb514d6`
- `github.com/oschwald/maxminddb-golang v1.12.0`
- `golang.org/x/crypto v0.21.0`
</details>
</blockquote>
</details>https://git.autistici.org/ai3/config/-/issues/9Upgrade mysql roles for new 10.5 multi-instance semantics2023-12-04T16:04:45ZaleUpgrade mysql roles for new 10.5 multi-instance semanticsDebian bookworm has changed how mariadb-server does multi-instance, support seems better now that it was before, so we could try using the upstream systemd config again.Debian bookworm has changed how mariadb-server does multi-instance, support seems better now that it was before, so we could try using the upstream systemd config again.https://git.autistici.org/ai3/float/-/issues/147vhostmap Prometheus metric has duplicate entries2023-12-01T17:58:11Zalevhostmap Prometheus metric has duplicate entriesStarting with bookworm, the node-exporter complains, and they're right:
```
# grep docker-wayback-http.service vhostmap.prom
vhostmap{float_service="wayback",service="docker-wayback-http.service",vhost="archive.autistici.org:443"} 1
vh...Starting with bookworm, the node-exporter complains, and they're right:
```
# grep docker-wayback-http.service vhostmap.prom
vhostmap{float_service="wayback",service="docker-wayback-http.service",vhost="archive.autistici.org:443"} 1
vhostmap{float_service="wayback",service="docker-wayback-http.service",vhost="archive.inventati.org:443"} 1
vhostmap{float_service="wayback",service="docker-wayback-http.service",vhost="archive.autistici.org:443"} 1
vhostmap{float_service="wayback",service="docker-wayback-http.service",vhost="archive.inventati.org:443"} 1
vhostmap{float_service="wayback",service="docker-wayback-http.service",vhost="archive.autistici.org:443"} 1
vhostmap{float_service="wayback",service="docker-wayback-http.service",vhost="archive.inventati.org:443"} 1
```https://git.autistici.org/ai3/docker/s6-overlay-lite/-/issues/1Set a runlevel2023-11-25T18:57:54ZaleSet a runlevelWe recently started noticing this issue, where gitlab-runner 16.6 would fail to start services using images based on s6-overlay-lite. The job would fail with a s6-telinit command-line parsing error, caused by it being passed no arguments...We recently started noticing this issue, where gitlab-runner 16.6 would fail to start services using images based on s6-overlay-lite. The job would fail with a s6-telinit command-line parsing error, caused by it being passed no arguments. This is due to s6-init invoking 's6-telinit "$@"' whenever it detects it is not PID 1; although s6-telinit will exit if it detects a container environment, it will stil attempt to parse its arguments, and fail.
Something like https://git.autistici.org/ai/website/-/merge_requests/81/diffs?commit_id=2263ff11772a968c0dfbd2d6595480779af33e24 fixes the issue because we're passing a runlevel arg. Should we set this runlevel arg on this image's CMD? Float runners should not see any change in behavior because in that case s6-init is indeed already running as PID 1 ...https://git.autistici.org/ai3/tools/acmeserver/-/issues/9Report LE account number2023-11-27T17:29:17ZaleReport LE account numberThis is useful in a number of contexts, acmeserver should print it out when it attempts registration.This is useful in a number of contexts, acmeserver should print it out when it attempts registration.https://git.autistici.org/ai3/float/-/issues/146When multiple services on the same host use the same container image, only on...2023-11-13T13:53:33ZaleWhen multiple services on the same host use the same container image, only one gets restarted on updateLikely a deduping issue with the Ansible task that calls float-pull-image?Likely a deduping issue with the Ansible task that calls float-pull-image?https://git.autistici.org/ai3/float/-/issues/145Prober URLs in ProbeFailure alerts can be incorrect2023-11-13T13:24:13ZaleProber URLs in ProbeFailure alerts can be incorrectfloat/roles/float-infra-prometheus/templates/rules/alerts_base.conf.yml alerts template says "Failed probe logs: https://https://{{ $labels.prober_float_service }}.[[ domain_public[0] ]]/" and the default for prober_float_s...float/roles/float-infra-prometheus/templates/rules/alerts_base.conf.yml alerts template says "Failed probe logs: https://https://{{ $labels.prober_float_service }}.[[ domain_public[0] ]]/" and the default for prober_float_service is 'prometheus', but e.g. for the default prober it should be 'prober'
This is because we're assuming that the service has a public_endpoint with the same name, which is not the case for the *prometheus* default service. There should be a way instead to retrieve the "best" public_endpoint for a specific job (via its monitoring_endpoint port, for instance)...https://git.autistici.org/ai3/tools/admin-dashboard/-/issues/1Dependency Dashboard2024-02-27T20:26:09ZrenovateDependency DashboardThis issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
This repository currently has no open or pending branches.
## Detect...This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
This repository currently has no open or pending branches.
## Detected dependencies
<details><summary>dockerfile</summary>
<blockquote>
<details><summary>Dockerfile</summary>
- `golang 1.22`
</details>
</blockquote>
</details>
<details><summary>npm</summary>
<blockquote>
<details><summary>package.json</summary>
- `css-loader 6.10.0`
- `extract-loader 5.1.0`
- `html-webpack-plugin 5.6.0`
- `mini-css-extract-plugin 2.8.1`
- `prometheus-query 3.4.0`
- `purgecss-webpack-plugin 5.0.0`
- `raw-loader 4.0.2`
- `webpack-subresource-integrity 5.1.0`
</details>
</blockquote>
</details>https://git.autistici.org/ai3/config/-/issues/8ARC support2023-09-25T09:06:11ZaleARC support[ARC](https://www.rfc-editor.org/rfc/rfc8617) is a thing now apparently and it is considered by large providers in antispam scoring, so it would be smart to support it.
There are two parts to it, Postfix should do ARC signing, and Mailm...[ARC](https://www.rfc-editor.org/rfc/rfc8617) is a thing now apparently and it is considered by large providers in antispam scoring, so it would be smart to support it.
There are two parts to it, Postfix should do ARC signing, and Mailman should try to avoid breaking it.
For Postfix, the point is to add Authentication-Results headers to all outbound messages (via smtp-auth or other means) to bootstrap the ARC verification chain, and then to have them signed pretty much in the same place where we do DKIM signatures.
The dkimpy library is able to do ARC signatures, but the dkimpy-milter package in Debian is not prepared to do so, although adding the functionality seems easy.
A plan:
* [ ] switch from OpenDKIM to dkimpy-milter
* [ ] make Postfix add Authentication-Results headers to emails sent by our users
* [ ] fork dkimpy-milter to add ARC support
Resources:
* [ARC official resources](http://arc-spec.org/?page_id=79) (incl. Mailman references)https://git.autistici.org/ai3/tools/firewall/-/issues/2update-firewall maybe should run update-ipset2023-08-27T06:16:57Zmicahupdate-firewall maybe should run update-ipsetIf you drop something into `/etc/firewall/blocked...` and then expect that `update-firewall` will put it into place, you would be wrong and confused that your new ip/netblock is not listed anywhere. You actually need to run `update-ipset...If you drop something into `/etc/firewall/blocked...` and then expect that `update-firewall` will put it into place, you would be wrong and confused that your new ip/netblock is not listed anywhere. You actually need to run `update-ipset` to get it added to the ipset.
I think its *fine* to have to run `update-ipset`, but then one needs to write a separate handler for running that, if one remembers that one needs to run that more specific command, when `update-firewall` kind of feels intuitively the one you would run to get that updated.
Its pretty minor, I just got bit by this twice, and had to remember that I needed to run `update-ipset` instead of `update-firewall`, and now that I've run into it twice, maybe I wont again. Besides, running `update-firewall` might be more churn than necessary when you just want to update the ipset?
I leave this here for you to decide if its worth doing or not.https://git.autistici.org/ai3/go-common/-/issues/3Switch the pwhash default to argon2id2023-08-22T09:51:36ZaleSwitch the pwhash default to argon2idSwitching the default hasher to Argon2Std would allow us to implement #2 at some point...Switching the default hasher to Argon2Std would allow us to implement #2 at some point...https://git.autistici.org/ai3/go-common/-/issues/2Replace the pwhash package with github.com/simia-tech/crypt2023-08-22T09:51:36ZaleReplace the pwhash package with github.com/simia-tech/cryptFortunately it seems the argon2i format is compatibleFortunately it seems the argon2i format is compatiblehttps://git.autistici.org/ai3/float/-/issues/144Replace Elasticsearch with Clickhouse2023-08-22T07:29:16ZaleReplace Elasticsearch with ClickhouseClickhouse might be more suited to the low-resource use case and might generally scale better to the high-resources one - we'd lose Kibana, but there is not much there that can't be replaced by a simpler dashboarding / query UI.Clickhouse might be more suited to the low-resource use case and might generally scale better to the high-resources one - we'd lose Kibana, but there is not much there that can't be replaced by a simpler dashboarding / query UI.https://git.autistici.org/ai3/float/-/issues/143Model data control flow in logs2023-08-22T07:25:55ZaleModel data control flow in logsWe're using syslog as the generalized transport for asynchronous messages, at least those that are expected to end up in a searchable database somewhere -- so it would be nice to be able to model these data flows explicitly (switching on...We're using syslog as the generalized transport for asynchronous messages, at least those that are expected to end up in a searchable database somewhere -- so it would be nice to be able to model these data flows explicitly (switching on *log_type* attribute, for instance?) and describe them in a way that float would understand, and configure the system accordingly.
In line with this thinking, it would be nice to be able to set up *log consumers* that are not searchable databases, for example for the purpose of *log watching* (for periodic / real-time analysis, or alerting)...https://git.autistici.org/ai3/tools/acmeserver/-/issues/8v3: Support filesystem storage2023-08-21T11:24:06Zalev3: Support filesystem storageIt would make it easier to incrementally test changes when switching between acmeserver v1/replds and replds2.It would make it easier to incrementally test changes when switching between acmeserver v1/replds and replds2.https://git.autistici.org/ai3/tools/acmeserver/-/issues/7v3: Create a command channel to support user-triggered forced renewal2023-08-21T11:11:46Zalev3: Create a command channel to support user-triggered forced renewalNeed an authenticated request channel to implement this.Need an authenticated request channel to implement this.https://git.autistici.org/ai3/tools/acmeserver/-/issues/6v3: Prometheus instrumentation2023-08-21T11:11:30Zalev3: Prometheus instrumentationhttps://git.autistici.org/ai3/tools/webauthn-cred/-/issues/1Dependency Dashboard2024-03-05T09:30:20ZrenovateDependency DashboardThis issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
## Open
These updates have all been created already. Click a checkbo...This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
## Open
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
- [ ] <!-- rebase-branch=renovate/github.com-fxamacker-cbor-v2-2.x -->[Update module github.com/fxamacker/cbor/v2 to v2.6.0](!8)
## Detected dependencies
<details><summary>gitlabci</summary>
<blockquote>
<details><summary>.gitlab-ci.yml</summary>
</details>
</blockquote>
</details>
<details><summary>gomod</summary>
<blockquote>
<details><summary>go.mod</summary>
- `go 1.19`
- `github.com/duo-labs/webauthn v0.0.0-20221205164246-ebaf9b74c6ec@ebaf9b74c6ec`
- `github.com/fxamacker/cbor/v2 v2.5.0`
- `github.com/keys-pub/go-libfido2 v1.5.3`
- `golang.org/x/term v0.18.0`
</details>
</blockquote>
</details>