Redmine: Issueshttps://issues.hackerspace.pl/https://issues.hackerspace.pl/favicon.ico?15861924492023-10-28T22:09:12ZRedmine
Redmine hswaw - Bugless #75 (New): teleimg: teardownhttps://issues.hackerspace.pl/issues/752023-10-28T22:09:12Zq3k
<p>teleimg is still running. It used to be part of a telegram/IRC bridge that has been torn down for years. Teleimg's job was to serve images from Telegram chatrooms over <abbr title="s">HTTP</abbr> to post over IRC.</p>
<p>Apparently, it's still serving some traffic. We should validate what traffic that is (probably by adding logging to teleimg) and if it's not just bots/crawlers which have held onto some publicly posted images, tear it down.</p> hswaw - Bugless #74 (New): Enable CSP for mastodonhttps://issues.hackerspace.pl/issues/742023-10-09T19:29:55Zimplr
<p>Since somewhere around v4.1.4 mastodon recommends adding CSP headers on reverse proxies (see <a class="external" href="https://github.com/mastodon/mastodon/releases/tag/v4.1.4">https://github.com/mastodon/mastodon/releases/tag/v4.1.4</a>).<br />We ignored this during the upgrade (<a class="external" href="https://gerrit.hackerspace.pl/c/hscloud/+/1691">https://gerrit.hackerspace.pl/c/hscloud/+/1691</a>), but we should eventually do it.</p>
<p>Doing this in n-i-c is a bit tedious - it seems the only way is via snippet annotations, which we normally (for good reason) deny in admitomatic, so admitomatic would need to be fixed to allow this.</p> hswaw - Bugless #72 (New): k0: run NTPhttps://issues.hackerspace.pl/issues/722023-08-01T17:19:39Zq3k
<p>We had 10 minutes of time offset after reboot.</p>
<p>We should run a chrony or something.</p> hswaw - Bugless #71 (Assigned): k0: refactor secrets storagehttps://issues.hackerspace.pl/issues/712023-07-28T17:46:50Zar
<pre>
193754 <q3k|h> https://cs.hackerspace.pl/hscloud/-/blob/tools/secretstore.py przepisz zeby uzywalo age zamiast gpg, i zeby trawersowalo checkout w gore od katalogu z sekretami az znajdzie secrets.toml gdzie bedzie opisane jakie klucz szyfruja dane poddzrewo
193758 <q3k|h> bonus points za przepisanie tego na go
193826 <q3k|h> jesli chcesz po kolei to mozesz tez zostawic to gpg
193840 <ar> w sumie, mogę to ↑ zrobić, bo miejwięcej to mam już zrobione w moim pierdolniku do sekretów w moim morph repo
193909 <q3k|h> hackdoc ma takie pliki .toml per poddrzewo juz, dla inspiracji: https://cs.hackerspace.pl/hscloud/-/blob/dc/hackdoc.toml
194004 <q3k|h> jeszcze do wymyslenia jest czy chcemy zeby per plik .toml byl klucz, czy zeby gdzies bylo globalne registry username->[klucz] i tylko refy do username'ow w per-poddrzewo plikach .toml
194017 <q3k|h> (gdzies globalne registry tj. gdzies osobny plik .toml)
</pre> hswaw - Bugless #69 (Assigned): jeszcze subtaskhttps://issues.hackerspace.pl/issues/692023-07-28T16:29:35Zarsenicumhswaw - Bugless #68 (Assigned): Testowy subtask 2https://issues.hackerspace.pl/issues/682023-07-28T16:27:46Zarsenicum
<p>Testowy subtask</p> hswaw - Bugless #67 (Assigned): Testowe storyhttps://issues.hackerspace.pl/issues/672023-07-28T16:27:03Zarsenicum
<p>Opis.<br />Tu jest zdjęcie:<br /><img src="https://issues.hackerspace.pl/attachments/download/4/clipboard-202307281826-mogjh.png" alt="" /></p>
<p>A tu dalej opis</p> hswaw - Bugless #66 (New): Testowy subtaskhttps://issues.hackerspace.pl/issues/662023-07-28T16:22:32Zarsenicumhswaw - Bugless #64 (Assigned): Document beyondspacehttps://issues.hackerspace.pl/issues/642023-07-23T15:24:19Zpalid
<p>Logs to help documenting:</p>
<p><infowski>To jest coś względnie nowego. Ale to logowanie i tak pewnie będziesz musiał/chciał zostawić jeśli chcesz to wystawić z k8s, tylko dawać unauthenticated access dla ruchu przychodzącego z customs.hackerspace.pl (NATownicy)</p>
<p><infowski>Nie rozumiem ale chyba tak? Nie wiem? W sensie - normalnie było edit za logowaniem. Jak wystawiasz to publicznie bez oauth2_proxy przed tym to musisz zrobić autoryzację dla edycji zawsze oraz odczytu gdy remote_addr jest inny niż customs.hackerspace.pl<br />beyond space uri:https://cs.hackerspace.pl/hscloud/-/blob/hswaw/machines/customs.hackerspace.pl/beyondspace.nix?subtree=true</p> hswaw - Bugless #62 (New): postorius webpage fails to download popper.jshttps://issues.hackerspace.pl/issues/622022-07-22T16:39:13Zvuko
How to reproduce:
<ol>
<li>log in as mailman into <a class="external" href="https://lists.hackerspace.pl/accounts/login">https://lists.hackerspace.pl/accounts/login</a><br />password is in hackerspace.pl:/root/pwds</li>
<li>Go into: <a class="external" href="https://lists.hackerspace.pl/postorius/lists/general.lists.hackerspace.pl/templates">https://lists.hackerspace.pl/postorius/lists/general.lists.hackerspace.pl/templates</a></li>
<li>Click users button and see that nothing is happening</li>
</ol>
<p>Failing url is <a class="external" href="https://lists.hackerspace.pl/static/postorius/libs/popperjs/popper-v1.11.0.min.js">https://lists.hackerspace.pl/static/postorius/libs/popperjs/popper-v1.11.0.min.js</a></p> hswaw - Bugless #59 (New): Run a Tor Bridgehttps://issues.hackerspace.pl/issues/592021-12-08T00:45:54Zq3k
<p>We'd maybe like to run a Tor Bridge on k0. These seem to not attract unwanted attention (from LE or from skids), but there's a few things to solve before we'd be able to run one comfortably:</p>
<ol>
<li> Make sure this is indeed not problematic for the aforementioned reasons.</li>
</ol>
<ol>
<li> Set up TC/QoS on dcsw1, edge01.waw or k8s/calico so that we can limit the bandwidth of the bridge to N Mbps (both incoming and outgoing). Or maybe the bridge software itself can be configured to take care of this?</li>
</ol>
<ol>
<li> Find a way to limit network connectivity: disallow 10/8 and other RFC1918, perhaps disallow parts of 185.236.240.0/22 (like DNS recursors?)</li>
</ol>
<p>Since k0 is unfortunately still IPv4-only, this would also be IPv4-only for now.</p> hswaw - Bugless #57 (New): boston: periodic 502 on some web interfaceshttps://issues.hackerspace.pl/issues/572021-10-07T11:19:21Zq3k
<p>Spurious 502s happen to me sometimes on code.hackerspace.pl, but apparently also happens on lists.hackerspace.pl. Reloading the page fixes usually works.</p>
<p>This might be just a few knobs to tweak like backend connection limits of some kind? Needs to be investigated.</p> hswaw - Bugless #56 (New): matrix.hackerspace.pl: PMs are disabled on this bridge over federationhttps://issues.hackerspace.pl/issues/562021-10-03T20:24:52Zq3k
<p>As in the subject, people from non-hackerspace.pl servers (eg. matrix.org) cannot DM people over appservice-irc by just tapping their name.</p>
<p>We should either enable this, or redirect to libera’s bridge?</p> hswaw - Bugless #54 (Assigned): [tracker] upgrade calico and k8s to a current releasehttps://issues.hackerspace.pl/issues/542021-09-21T09:46:56Zimplrhswaw - Bugless #53 (Assigned): Access to k0 pod network from routing fabric is borkedhttps://issues.hackerspace.pl/issues/532021-09-20T22:48:07Zq3k
<p>For example, from boston:</p>
<pre>$ curl 10.10.25.14:9092 # matrix metrics</pre>
<p>will sometimes work and sometimes get stuck.</p>
<p>10.10.25.0/26 is ECMP'd across all k0 hosts:</p>
<pre>
dcsw01.hswaw.net#show ip route 10.10.25.0/26
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I - ISIS, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route
B E 10.10.25.0/26 [200/0] via 185.236.240.35, Vlan2001
via 185.236.240.36, Vlan2001
via 185.236.240.39, Vlan2001
via 185.236.240.40, Vlan2001
</pre>
<p>However, it's a pod IP, so that's only really handled by one node - in this case, dcr01s24 / 185.236.240.40. And it seems like it only works when it gets ECMPd directly to that node, but not otherwise.</p>
<p>But even still, it should be properly bounced off if it hits other nodes, what's going on?</p>