LQDN Adminsys issueshttps://git.laquadrature.net/groups/lqdn-interne/-/issues2024-03-28T18:11:25+01:00https://git.laquadrature.net/lqdn-interne/piops/-/issues/74Error on prometheus scrapping2024-03-28T18:11:25+01:00nonoError on prometheus scrappingPrometheus has trouble scrapping some instancesPrometheus has trouble scrapping some instancesNouvelle infranononono2024-04-08https://git.laquadrature.net/lqdn-interne/piops/-/issues/51Add CiviCRM service2024-03-26T16:56:41+01:00nonoAdd CiviCRM serviceWe need to move CiviCRM to it's own server because it needs a new and updated version of PHP that member doesn't have ( nor does it have systemd activated ?? ).
We have lqdncrm.lqdn.fr @ 185.34.33.12 for that.We need to move CiviCRM to it's own server because it needs a new and updated version of PHP that member doesn't have ( nor does it have systemd activated ?? ).
We have lqdncrm.lqdn.fr @ 185.34.33.12 for that.Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/13Add service : Etherpad2024-03-25T14:45:58+01:00nonoAdd service : EtherpadInclude this role : https://github.com/systemli/ansible-role-etherpad
- [ ] Check if role can support plugins, if not, add functionality
- [x] Add role
- [x] Add variables
- [x] Deploy role on testing infra
- [ ] Deploy role to prod in...Include this role : https://github.com/systemli/ansible-role-etherpad
- [ ] Check if role can support plugins, if not, add functionality
- [x] Add role
- [x] Add variables
- [x] Deploy role on testing infra
- [ ] Deploy role to prod infra
- [ ] Import existing data to prod infra
- [x] Add backups ( linked to #11 )
- [ ] Connect to the deleted pad function ( https://git.laquadrature.net/la-quadrature-du-net/outils/etherpad-cleanup )Nouvelle infrahttps://git.laquadrature.net/lqdn-interne/piops/-/issues/45Add website livre lqdn2024-03-18T10:19:07+01:00nonoAdd website livre lqdnNouvelle infranononono2024-04-02https://git.laquadrature.net/lqdn-interne/piops/-/issues/22Look at Ansible-Semaphore2024-03-11T17:16:53+01:00nonoLook at Ansible-Semaphorehttps://docs.ansible-semaphore.com/user-guide/repositorieshttps://docs.ansible-semaphore.com/user-guide/repositoriesThings that would be nice to dohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/62md.lqdn.fr en 5022024-03-11T17:15:59+01:00nonomd.lqdn.fr en 502Le hedgedocs est tombé pour deux raisons :
- Plus de place sur le serveur à cause de logs ( #28 )
- Le upstream nginx était sur `127.0.0.1:3003`, mais répondait uniquement sur `localhost:3003`Le hedgedocs est tombé pour deux raisons :
- Plus de place sur le serveur à cause de logs ( #28 )
- Le upstream nginx était sur `127.0.0.1:3003`, mais répondait uniquement sur `localhost:3003`nonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/71Add a security.txt2024-03-11T17:15:30+01:00qadmaAdd a security.txtA security.txt file is a standardized file that contain key contact informations to help security researchers contact a website owner to patch a vulnerability.
See https://securitytxt.org/ to generate a file.
It needs to be located at ...A security.txt file is a standardized file that contain key contact informations to help security researchers contact a website owner to patch a vulnerability.
See https://securitytxt.org/ to generate a file.
It needs to be located at `/.well-known/security.txt` or at `/security.txt`
Maybe we can add one for www.laquadrature.net and technopolice.fr
Examples :
- https://www.google.com/.well-known/security.txt
- https://github.com/.well-known/security.txtThings that would be nice to dohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/73Allow mosh ports in firewall2024-03-11T17:13:46+01:00nonoAllow mosh ports in firewallfollow up on !47follow up on !47Things that would be nice to dononononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/72Job Failed #13011 : couldn't resolve module/action 'ansible.builtin.deb822_re...2024-03-11T15:43:42+01:00nonoJob Failed #13011 : couldn't resolve module/action 'ansible.builtin.deb822_repository'Job [#13011](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/13011) failed for bc0e0d01729d54a4bbb6eebceddb174c66cfae1d:
Solution : install Ansible via pip.
https://forum.ansible.com/t/how-to-get-deb822-repository-module-to-work...Job [#13011](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/13011) failed for bc0e0d01729d54a4bbb6eebceddb174c66cfae1d:
Solution : install Ansible via pip.
https://forum.ansible.com/t/how-to-get-deb822-repository-module-to-work-with-core-2-14-3/3721Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/54Encrypt backups2024-02-29T18:56:01+01:00nonoEncrypt backupsThe backups can be encrypted by GPG via Duply.The backups can be encrypted by GPG via Duply.Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/42Add pre-push git hook to check linting2024-02-29T18:34:39+01:00nonoAdd pre-push git hook to check lintingThings that would be nice to dohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/49Configure SAML SSO on Grafana2024-02-22T11:52:15+01:00nonoConfigure SAML SSO on Grafanahttps://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/saml/https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/saml/Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/56Job Failed #115342024-02-15T11:42:14+01:00nonoJob Failed #11534Job [#11534](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11534) failed for e85eec34fd7f6037d6f2d5fcd6342dd97cac3208:
Remove the rsyslog-sender config, because it's managed by puppet.Job [#11534](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11534) failed for e85eec34fd7f6037d6f2d5fcd6342dd97cac3208:
Remove the rsyslog-sender config, because it's managed by puppet.Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/60Job Failed #11844 Logrotate errors2024-02-15T11:42:14+01:00nonoJob Failed #11844 Logrotate errorsJob [#11844](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11844) failed for 949f699b2e206bceb75a2a43843c379323a7f814:
Related to #28Job [#11844](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11844) failed for 949f699b2e206bceb75a2a43843c379323a7f814:
Related to #28Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/29Fix rsyslog / journald configuration2024-02-15T11:42:14+01:00nonoFix rsyslog / journald configurationhttps://git.laquadrature.net/lqdn-interne/piops/-/issues/28Fix logrotate configuration2024-02-15T11:42:14+01:00nonoFix logrotate configurationhttps://git.laquadrature.net/lqdn-interne/piops/-/issues/6Redirection des adresses en lqdn.fr en laquadrature.net et vice-versa2024-02-15T11:40:29+01:00nonoRedirection des adresses en lqdn.fr en laquadrature.net et vice-versaÀ l'heure actuelle, certains services sont disponible sous une URL, mais pas l'autre. Et la redirection ne semble pas fonctionner à chaque fois.À l'heure actuelle, certains services sont disponible sous une URL, mais pas l'autre. Et la redirection ne semble pas fonctionner à chaque fois.https://git.laquadrature.net/lqdn-interne/piops/-/issues/59Le serpent qui se mord la queue : génération automatique de certificats SSL2024-02-13T19:26:50+01:00nonoLe serpent qui se mord la queue : génération automatique de certificats SSLOn est face à un soucis dans la génération des certificats SSL.
Le soucis viens de l'utilisation d'un webroot géré par Nginx.
Let'sEncrypt va utiliser le well-known d'un site pour lire un fichier qui est généré par certbot dans /var/...On est face à un soucis dans la génération des certificats SSL.
Le soucis viens de l'utilisation d'un webroot géré par Nginx.
Let'sEncrypt va utiliser le well-known d'un site pour lire un fichier qui est généré par certbot dans /var/www/letsencrypt. La mise en ligne du fichier est géré par Nginx. Donc, il faut, pour chaque site, une configuration qui le permette, généralement sous la forme ;
```
location /.well-known/acme-challenge {
alias /var/www/letsencrypt/.well-known/acme-challenge;
}
```
MAIS !
Si c'est la première génération de certificat, alors Nginx va refuser de démarrer parce qu'il manque le certificat nécessaire à la configuration HTTPS.
```
2024/02/05 14:18:25 [emerg] 382339#382339: cannot load certificate "/etc/letsencrypt/live/sso.test.lqdn.fr/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/sso.test.lqdn.fr/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed
```
Les solutions à l'heure actuelle sont ;
- Faire la 1er génération du certificat à la main, en utilisant le mode standalone. Mais ça implique de couper le serveur Nginx pour que celui de certbot puisse prendre la main.
- Utiliser l'option standalone dans Ansible. Ça permet de résoudre le soucis de la première génération de certificat, mais fera que Nginx sera coupé à chaque renouvellement de certificat ( une fois tout les 60 jours en moyenne ).
- Utiliser une configuration plus poussée de Certbot, par exemple avec un script qui gère ce cas de figure. Voir https://eff-certbot.readthedocs.io/en/latest/using.html#pre-and-post-validation-hooks
- Avoir un fichier nginx particulier pour le service certbot qui réponde sur le port 80, qui serait poussé par défaut sur l'ensemble des serveurs et ne nécessite pas de certificats SSL pour démarrer Nginx. Je pense que c'est la solution optimale.
- Une autre solution ?Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/69Job Failed #12580 : Add Gitlab Runner to the services tested on lqdntest2024-02-13T18:07:27+01:00nonoJob Failed #12580 : Add Gitlab Runner to the services tested on lqdntestJob [#12580](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/12580) failed for 51db248aabe429a5f59a5395d21972797a8ab1be:Job [#12580](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/12580) failed for 51db248aabe429a5f59a5395d21972797a8ab1be:Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/68Job Failed #12581 : Add forum to the services tested on lqdntest2024-02-13T18:06:59+01:00nonoJob Failed #12581 : Add forum to the services tested on lqdntestJob [#12581](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/12581) failed for 51db248aabe429a5f59a5395d21972797a8ab1be:Job [#12581](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/12581) failed for 51db248aabe429a5f59a5395d21972797a8ab1be:nononono