piops issueshttps://git.laquadrature.net/lqdn-interne/piops/-/issues2024-03-29T15:07:28+01:00https://git.laquadrature.net/lqdn-interne/piops/-/issues/75Archiver le Wiki2024-03-29T15:07:28+01:00nonoArchiver le WikiCloses : https://git.laquadrature.net/lqdn-interne/equipe_technique/-/issues/201Closes : https://git.laquadrature.net/lqdn-interne/equipe_technique/-/issues/201Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/74Error on prometheus scrapping2024-03-28T18:11:25+01:00nonoError on prometheus scrappingPrometheus has trouble scrapping some instancesPrometheus has trouble scrapping some instancesNouvelle infranononono2024-04-08https://git.laquadrature.net/lqdn-interne/piops/-/issues/73Allow mosh ports in firewall2024-03-11T17:13:46+01:00nonoAllow mosh ports in firewallfollow up on !47follow up on !47Things that would be nice to dononononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/72Job Failed #13011 : couldn't resolve module/action 'ansible.builtin.deb822_re...2024-03-11T15:43:42+01:00nonoJob Failed #13011 : couldn't resolve module/action 'ansible.builtin.deb822_repository'Job [#13011](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/13011) failed for bc0e0d01729d54a4bbb6eebceddb174c66cfae1d:
Solution : install Ansible via pip.
https://forum.ansible.com/t/how-to-get-deb822-repository-module-to-work...Job [#13011](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/13011) failed for bc0e0d01729d54a4bbb6eebceddb174c66cfae1d:
Solution : install Ansible via pip.
https://forum.ansible.com/t/how-to-get-deb822-repository-module-to-work-with-core-2-14-3/3721Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/71Add a security.txt2024-03-11T17:15:30+01:00qadmaAdd a security.txtA security.txt file is a standardized file that contain key contact informations to help security researchers contact a website owner to patch a vulnerability.
See https://securitytxt.org/ to generate a file.
It needs to be located at ...A security.txt file is a standardized file that contain key contact informations to help security researchers contact a website owner to patch a vulnerability.
See https://securitytxt.org/ to generate a file.
It needs to be located at `/.well-known/security.txt` or at `/security.txt`
Maybe we can add one for www.laquadrature.net and technopolice.fr
Examples :
- https://www.google.com/.well-known/security.txt
- https://github.com/.well-known/security.txtThings that would be nice to dohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/69Job Failed #12580 : Add Gitlab Runner to the services tested on lqdntest2024-02-13T18:07:27+01:00nonoJob Failed #12580 : Add Gitlab Runner to the services tested on lqdntestJob [#12580](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/12580) failed for 51db248aabe429a5f59a5395d21972797a8ab1be:Job [#12580](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/12580) failed for 51db248aabe429a5f59a5395d21972797a8ab1be:Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/67Job Failed #12576 : Update PHP version for Nextcloud installation2024-02-13T18:06:23+01:00nonoJob Failed #12576 : Update PHP version for Nextcloud installationJob [#12576](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/12576) failed for 51db248aabe429a5f59a5395d21972797a8ab1be:Job [#12576](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/12576) failed for 51db248aabe429a5f59a5395d21972797a8ab1be:Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/63Job Failed #12030 : Define nodeJS version for uptime2024-02-08T14:49:49+01:00nonoJob Failed #12030 : Define nodeJS version for uptimeJob [#12030](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/12030) failed for 968866d326914d751430023d95f892b3bdab07b3:Job [#12030](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/12030) failed for 968866d326914d751430023d95f892b3bdab07b3:Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/61Job Failed #11843 APT is held by another process2024-02-13T16:06:14+01:00nonoJob Failed #11843 APT is held by another processJob [#11843](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11843) failed for 949f699b2e206bceb75a2a43843c379323a7f814:
Related to #33Job [#11843](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11843) failed for 949f699b2e206bceb75a2a43843c379323a7f814:
Related to #33Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/60Job Failed #11844 Logrotate errors2024-02-15T11:42:14+01:00nonoJob Failed #11844 Logrotate errorsJob [#11844](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11844) failed for 949f699b2e206bceb75a2a43843c379323a7f814:
Related to #28Job [#11844](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11844) failed for 949f699b2e206bceb75a2a43843c379323a7f814:
Related to #28Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/59Le serpent qui se mord la queue : génération automatique de certificats SSL2024-02-13T19:26:50+01:00nonoLe serpent qui se mord la queue : génération automatique de certificats SSLOn est face à un soucis dans la génération des certificats SSL.
Le soucis viens de l'utilisation d'un webroot géré par Nginx.
Let'sEncrypt va utiliser le well-known d'un site pour lire un fichier qui est généré par certbot dans /var/...On est face à un soucis dans la génération des certificats SSL.
Le soucis viens de l'utilisation d'un webroot géré par Nginx.
Let'sEncrypt va utiliser le well-known d'un site pour lire un fichier qui est généré par certbot dans /var/www/letsencrypt. La mise en ligne du fichier est géré par Nginx. Donc, il faut, pour chaque site, une configuration qui le permette, généralement sous la forme ;
```
location /.well-known/acme-challenge {
alias /var/www/letsencrypt/.well-known/acme-challenge;
}
```
MAIS !
Si c'est la première génération de certificat, alors Nginx va refuser de démarrer parce qu'il manque le certificat nécessaire à la configuration HTTPS.
```
2024/02/05 14:18:25 [emerg] 382339#382339: cannot load certificate "/etc/letsencrypt/live/sso.test.lqdn.fr/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/sso.test.lqdn.fr/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed
```
Les solutions à l'heure actuelle sont ;
- Faire la 1er génération du certificat à la main, en utilisant le mode standalone. Mais ça implique de couper le serveur Nginx pour que celui de certbot puisse prendre la main.
- Utiliser l'option standalone dans Ansible. Ça permet de résoudre le soucis de la première génération de certificat, mais fera que Nginx sera coupé à chaque renouvellement de certificat ( une fois tout les 60 jours en moyenne ).
- Utiliser une configuration plus poussée de Certbot, par exemple avec un script qui gère ce cas de figure. Voir https://eff-certbot.readthedocs.io/en/latest/using.html#pre-and-post-validation-hooks
- Avoir un fichier nginx particulier pour le service certbot qui réponde sur le port 80, qui serait poussé par défaut sur l'ensemble des serveurs et ne nécessite pas de certificats SSL pour démarrer Nginx. Je pense que c'est la solution optimale.
- Une autre solution ?Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/57OOM on Livre Build : Job Failed #115502024-02-05T15:22:02+01:00nonoOOM on Livre Build : Job Failed #11550Job [#11550](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11550) failed for e85eec34fd7f6037d6f2d5fcd6342dd97cac3208:
Duuuu coup, j'aurai deux solutions en tête ;
1. Faire le build directement dans la CI Gitlab, et push le r...Job [#11550](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11550) failed for e85eec34fd7f6037d6f2d5fcd6342dd97cac3208:
Duuuu coup, j'aurai deux solutions en tête ;
1. Faire le build directement dans la CI Gitlab, et push le résultat du build dans le gitlab, et wget le résultat de ce build sur la machine
2. Demander plus de RAM sur ce serveur à Octopuce ( mais ptit délais )Things that would be nice to dononononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/56Job Failed #115342024-02-15T11:42:14+01:00nonoJob Failed #11534Job [#11534](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11534) failed for e85eec34fd7f6037d6f2d5fcd6342dd97cac3208:
Remove the rsyslog-sender config, because it's managed by puppet.Job [#11534](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11534) failed for e85eec34fd7f6037d6f2d5fcd6342dd97cac3208:
Remove the rsyslog-sender config, because it's managed by puppet.Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/55Streamling key verification and server host denomination2024-02-05T16:47:19+01:00nonoStreamling key verification and server host denominationJob [#11535](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11535) failed for e85eec34fd7f6037d6f2d5fcd6342dd97cac3208:
Some servers have two hostnames, which leads to failed ssh key verification and double-installs, for example...Job [#11535](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11535) failed for e85eec34fd7f6037d6f2d5fcd6342dd97cac3208:
Some servers have two hostnames, which leads to failed ssh key verification and double-installs, for example with APT that fails because the lock is held by an already running process. It's not critical but would be nice to fix to get the little green dopamine check.Things that would be nice to dononononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/54Encrypt backups2024-02-29T18:56:01+01:00nonoEncrypt backupsThe backups can be encrypted by GPG via Duply.The backups can be encrypted by GPG via Duply.Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/53Activate complete deletion in Discourse2024-01-30T10:59:50+01:00nonoActivate complete deletion in DiscourseSee https://meta.discourse.org/t/introducing-permanently-delete-post-functionality/207109See https://meta.discourse.org/t/introducing-permanently-delete-post-functionality/207109Nouvelle infranononono2024-01-30https://git.laquadrature.net/lqdn-interne/piops/-/issues/52Job Failed #11045 : Configuration IPv6 sur lqdntest2024-01-30T17:59:51+01:00nonoJob Failed #11045 : Configuration IPv6 sur lqdntestJob [#11045](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11045) failed for 4b3dccb8f5cafe3b7f6799f0211bfdbd8ebfcb02:Job [#11045](https://git.laquadrature.net/lqdn-interne/piops/-/jobs/11045) failed for 4b3dccb8f5cafe3b7f6799f0211bfdbd8ebfcb02:Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/51Add CiviCRM service2024-03-26T16:56:41+01:00nonoAdd CiviCRM serviceWe need to move CiviCRM to it's own server because it needs a new and updated version of PHP that member doesn't have ( nor does it have systemd activated ?? ).
We have lqdncrm.lqdn.fr @ 185.34.33.12 for that.We need to move CiviCRM to it's own server because it needs a new and updated version of PHP that member doesn't have ( nor does it have systemd activated ?? ).
We have lqdncrm.lqdn.fr @ 185.34.33.12 for that.Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/49Configure SAML SSO on Grafana2024-02-22T11:52:15+01:00nonoConfigure SAML SSO on Grafanahttps://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/saml/https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/saml/Nouvelle infranonononohttps://git.laquadrature.net/lqdn-interne/piops/-/issues/48Update Quadramoula2023-12-11T15:07:17+01:00nonoUpdate QuadramoulaNouvelle infranononono2023-12-11