Page MenuHomeDevCentral
Feed Advanced Search

Advanced Search
Use Results
Hide Query

Nov 2 2024

dereckson created Blog Post: SSH keys fingerprints for Dwellers.
Nov 2 2024, 18:17 · Servers, security

Oct 27 2024

dereckson moved T2075: Generate SSH keys for backup purpose from Backlog to Backup infrastructure on the Backups board.
Oct 27 2024, 01:09 · security, Servers, Backups, Salt
dereckson moved T2075: Generate SSH keys for backup purpose from Servers config to Require Salt dev on the Salt board.
Oct 27 2024, 01:00 · security, Servers, Backups, Salt
dereckson moved T2075: Generate SSH keys for backup purpose from Backlog to Servers config on the Salt board.
Oct 27 2024, 01:00 · security, Servers, Backups, Salt
dereckson triaged T2075: Generate SSH keys for backup purpose as Normal priority.
Oct 27 2024, 00:58 · security, Servers, Backups, Salt

Oct 23 2024

dereckson closed T2051: Can't renew TLS certificates verified through HTTP on docker engines as Resolved by committing rOPSb99907864885: Allow nginx to read /.well-known/acme-challenge.
Oct 23 2024, 16:38 · security, Nasqueron Docker deployment squad, Servers

Oct 13 2024

dereckson moved T1861: Configure static IPv6 on WindRiver from Backlog to Knowledge sharing is needed on the IPv6 board.
Oct 13 2024, 12:04 · security, Servers, IPv6
dereckson added a comment to T1861: Configure static IPv6 on WindRiver.

So, to get routing back:

Oct 13 2024, 12:03 · security, Servers, IPv6

Oct 12 2024

dereckson moved T1765: SELinux context is missing for /etc/nginx configuration files from Backlog - Docker to Backlog - Alkane/Webservers on the Operations sprints (Ignite Alkane Propulsion) board.
Oct 12 2024, 10:21 · Operations sprints (Ignite Alkane Propulsion), Salt, security, Nasqueron Docker deployment squad, Servers
dereckson closed T619: Allow to control from TC2 the Docker engine as Wontfix.

Not sure of the current benefit to use TC2.

Oct 12 2024, 10:16 · Operations sprints (Operations sprint 1), security, Nasqueron Docker deployment squad, Servers, Dæghrefn
dereckson moved T1486: Evaluate Archery from Backlog to Not for this sprint on the Operations sprints (Move the ambiant lights) board.
Oct 12 2024, 10:07 · security, Product evaluation, Operations sprints (Move the ambiant lights)
dereckson moved T1602: Provision ACME DNS credentials for core domains on each servers from Backlog to Backlog - Alkane/Webservers on the Operations sprints (Ignite Alkane Propulsion) board.
Oct 12 2024, 09:48 · Operations sprints (Ignite Alkane Propulsion), security, Servers
dereckson edited projects for T1602: Provision ACME DNS credentials for core domains on each servers, added: Operations sprints (Ignite Alkane Propulsion); removed Operations sprints (Consolidate them all).
Oct 12 2024, 09:47 · Operations sprints (Ignite Alkane Propulsion), security, Servers
dereckson moved T1602: Provision ACME DNS credentials for core domains on each servers from Pending review to Not for this sprint on the Operations sprints (Consolidate them all) board.
Oct 12 2024, 09:47 · Operations sprints (Ignite Alkane Propulsion), security, Servers
dereckson added a comment to T1602: Provision ACME DNS credentials for core domains on each servers.

This is still needed for acme.sh if we want to provision different *.nasqueron.org certificates on different servers.

Oct 12 2024, 09:47 · Operations sprints (Ignite Alkane Propulsion), security, Servers
dereckson added a subtask for T1602: Provision ACME DNS credentials for core domains on each servers: T1599: Install TLS wildcard certificates for nginx fallback vhost.
Oct 12 2024, 09:44 · Operations sprints (Ignite Alkane Propulsion), security, Servers

Oct 9 2024

dereckson lowered the priority of T2051: Can't renew TLS certificates verified through HTTP on docker engines from High to Normal.
Oct 9 2024, 18:45 · security, Nasqueron Docker deployment squad, Servers
dereckson updated the task description for T2051: Can't renew TLS certificates verified through HTTP on docker engines.
Oct 9 2024, 18:45 · security, Nasqueron Docker deployment squad, Servers
dereckson added a comment to T2051: Can't renew TLS certificates verified through HTTP on docker engines.

Salt SELinux module issue

Oct 9 2024, 18:45 · security, Nasqueron Docker deployment squad, Servers
dereckson updated the task description for T2051: Can't renew TLS certificates verified through HTTP on docker engines.
Oct 9 2024, 18:07 · security, Nasqueron Docker deployment squad, Servers
dereckson added a revision to T2051: Can't renew TLS certificates verified through HTTP on docker engines: D3501: Allow nginx to read /.well-known/acme-challenge.
Oct 9 2024, 17:48 · security, Nasqueron Docker deployment squad, Servers
dereckson moved T2051: Can't renew TLS certificates verified through HTTP on docker engines from Backlog to Pending review on the Servers board.
Oct 9 2024, 17:43 · security, Nasqueron Docker deployment squad, Servers
dereckson moved T2051: Can't renew TLS certificates verified through HTTP on docker engines from Backlog to Working on on the Nasqueron Docker deployment squad board.

SELinux context was the default for anything created under /var, which we didn't allow and aren't interested to allow for nginx.

Oct 9 2024, 17:43 · security, Nasqueron Docker deployment squad, Servers
dereckson triaged T2051: Can't renew TLS certificates verified through HTTP on docker engines as High priority.
Oct 9 2024, 16:02 · security, Nasqueron Docker deployment squad, Servers
dereckson created T2051: Can't renew TLS certificates verified through HTTP on docker engines.
Oct 9 2024, 16:01 · security, Nasqueron Docker deployment squad, Servers

Oct 3 2024

dereckson created Blog Post: WindRiver moved to a new home. New SSH keys..
Oct 3 2024, 19:42 · security, Servers
dereckson added a comment to T2040: Supersede Vault by OpenBao.

Yes, it's a fork from Vault 1.14 so we've all the features of token generation. back to the shorter s. tokens).

Oct 3 2024, 17:26 · security, Servers, Vault
DorianWinty added a comment to T2040: Supersede Vault by OpenBao.
  • about the UI it could be usefull managing secrets more easyly
Oct 3 2024, 17:23 · security, Servers, Vault
dereckson moved T2040: Supersede Vault by OpenBao from Backlog to Analysis / under discussion on the Servers board.
Oct 3 2024, 15:21 · security, Servers, Vault
dereckson triaged T2040: Supersede Vault by OpenBao as Normal priority.
Oct 3 2024, 15:21 · security, Servers, Vault

Sep 12 2024

dereckson shifted T1996: Servers on hyper-001 have network issues from the Restricted Space space to the S1 Nasqueron space.
Sep 12 2024, 18:16 · security, Servers
dereckson closed T1996: Servers on hyper-001 have network issues as Wontfix.

Can't repro

Sep 12 2024, 18:15 · security, Servers
dereckson added a revision to T930: Secrets to migrate from DevCentral to Vault: D3441: Prune Zemke-Rhyne.
Sep 12 2024, 17:02 · User-Dereckson, Vault, Nasqueron Operations Squad, security

Sep 8 2024

Sandlayth closed T2013: Add new public ssh-key belonging to user sandlayth as Resolved by committing rOPS257aa8d9e00c: Add new public ssh-key belonging to user sandlayth.
Sep 8 2024, 09:07 · security, Servers
Sandlayth added a revision to T2013: Add new public ssh-key belonging to user sandlayth: D3433: Add new public ssh-key belonging to user sandlayth.
Sep 8 2024, 09:06 · security, Servers

Sep 5 2024

Sandlayth triaged T2013: Add new public ssh-key belonging to user sandlayth as Low priority.
Sep 5 2024, 20:40 · security, Servers

Aug 17 2024

dereckson closed T853: Deploy a Let's encrypt certificate to the Mumble server as Wontfix.

Mumble isn't currently in scope.

Aug 17 2024, 14:56 · good-first-issue, Mumble, security, Servers
dereckson closed T853: Deploy a Let's encrypt certificate to the Mumble server, a subtask of T654: Apply Let's encrypt SSL certificates for *.nasqueron.org, as Wontfix.
Aug 17 2024, 14:56 · security, Servers

Aug 4 2024

dereckson closed T1928: Serve CAA DNS records as Resolved.

Both are already set in DNS:

Aug 4 2024, 17:45 · Servers, DNS, security
dereckson added a comment to T1928: Serve CAA DNS records.

We use a wildcard certificate, so issuewild is needed, yes.

Aug 4 2024, 17:44 · Servers, DNS, security
dereckson claimed T1928: Serve CAA DNS records.
Aug 4 2024, 17:43 · Servers, DNS, security
dereckson moved T1879: Draft a 2FA policy from Backlog to Nasqueron Operations SIG on the discussion board.
Aug 4 2024, 17:42 · discussion, security, DevCentral
dereckson updated subscribers of T1879: Draft a 2FA policy.

@Ash-Crow @fauve @rama @replicatorbe @Sandlayth @xcombelle Any feedback on this?

Aug 4 2024, 17:41 · discussion, security, DevCentral
dereckson triaged T1879: Draft a 2FA policy as High priority.
Aug 4 2024, 17:39 · discussion, security, DevCentral
dereckson triaged T1928: Serve CAA DNS records as High priority.
Aug 4 2024, 17:37 · Servers, DNS, security

Aug 3 2024

dereckson added a comment to T1996: Servers on hyper-001 have network issues.

From router-001 network looks good:

Aug 3 2024, 13:59 · security, Servers
dereckson added a comment to T1996: Servers on hyper-001 have network issues.

Stopped currently not needed salt and node-exporter on router-001 to see if that helps.

Aug 3 2024, 13:58 · security, Servers
dereckson renamed T1996: Servers on hyper-001 have network issues from Server outage: complector to Servers on hyper-001 have network issues.
Aug 3 2024, 13:23 · security, Servers
dereckson shifted T1996: Servers on hyper-001 have network issues from the S1 Nasqueron space to the Restricted Space space.
Aug 3 2024, 13:23 · security, Servers
dereckson lowered the priority of T1996: Servers on hyper-001 have network issues from Unbreak Now! to High.

Could be at hypervisor level. SSH failed until 13:22 where it worked immediately.

Aug 3 2024, 13:23 · security, Servers

Jul 23 2024

dereckson added a comment to T1877: Evaluate Alcali - Salt front-end.

It could be easier to deploy https://github.com/kpetremann/salt-exporter

Jul 23 2024, 17:56 · security, Salt, Servers, Product evaluation

Jul 10 2024

dereckson closed T1974: Update windu SSH key as Resolved.

Key confirmed to work.

Jul 10 2024, 19:17 · security, Servers

Jul 9 2024

dereckson added a revision to T1974: Update windu SSH key: D3362: Add SSH key for windu account.
Jul 9 2024, 22:17 · security, Servers
dereckson reopened T1974: Update windu SSH key as "Open".

Still some issue to connect, SSH2 RSA key not recognized.

Jul 9 2024, 22:17 · security, Servers

Jul 5 2024

dereckson closed T1974: Update windu SSH key as Resolved by committing rOPS3defdf4a54a8: Update SSH key for windu.
Jul 5 2024, 18:54 · security, Servers
dereckson added projects to T1974: Update windu SSH key: Servers, security.
Jul 5 2024, 18:47 · security, Servers

Feb 17 2024

dereckson closed T1953: sshd-otp returns fatal error recv_rexec_state: parse config: incomplete message as Resolved.
Ysul
$ /usr/local/etc/rc.d/sshd-otp restart
Performing sanity check on sshd_otp configuration.
Stopping sshd_otp.
Waiting for PIDS: 1331.
Performing sanity check on sshd_otp configuration.
Starting sshd_otp.
Feb 17 2024, 14:50 · security, Servers
dereckson created T1953: sshd-otp returns fatal error recv_rexec_state: parse config: incomplete message.
Feb 17 2024, 14:50 · security, Servers

Jan 28 2024

dereckson added a revision to T930: Secrets to migrate from DevCentral to Vault: D3302: Migrate former Zemke-Rhyne secrets from a.b.c to a/b/c path.
Jan 28 2024, 19:11 · User-Dereckson, Vault, Nasqueron Operations Squad, security
dereckson added a comment to T930: Secrets to migrate from DevCentral to Vault.

Secrets have been migrated from dot notation to slash notation.

Jan 28 2024, 19:10 · User-Dereckson, Vault, Nasqueron Operations Squad, security

Jan 15 2024

dereckson added a comment to T1877: Evaluate Alcali - Salt front-end.

Alcali is still alive.

Jan 15 2024, 21:50 · security, Salt, Servers, Product evaluation

Jan 8 2024

dereckson added a revision to T1935: OPENSSH 9.6: D3265: Disable Terrapin sensible ciphers and algorithms.
Jan 8 2024, 21:54 · security
DorianWinty closed T1935: OPENSSH 9.6 as Resolved.
Jan 8 2024, 21:13 · security
DorianWinty shifted T1935: OPENSSH 9.6 from the Restricted Space space to the S1 Nasqueron space.
Jan 8 2024, 21:13 · security
DorianWinty shifted T1935: OPENSSH 9.6 from the S1 Nasqueron space to the Restricted Space space.
Jan 8 2024, 21:11 · security
DorianWinty shifted T1935: OPENSSH 9.6 from the Restricted Space space to the S1 Nasqueron space.
Jan 8 2024, 21:11 · security

Jan 7 2024

dereckson updated the task description for T1935: OPENSSH 9.6.
Jan 7 2024, 18:05 · security
dereckson updated the task description for T1935: OPENSSH 9.6.
Jan 7 2024, 18:01 · security
dereckson updated the task description for T1935: OPENSSH 9.6.
Jan 7 2024, 00:21 · security

Jan 5 2024

DorianWinty updated the task description for T1935: OPENSSH 9.6.
Jan 5 2024, 19:55 · security
DorianWinty updated the task description for T1935: OPENSSH 9.6.
Jan 5 2024, 19:55 · security
DorianWinty added a comment to T1935: OPENSSH 9.6.

For Hervil

Jan 5 2024, 12:32 · security
dereckson added a comment to T1935: OPENSSH 9.6.

FreeBSD integrates OpenSSH to the base OS.

Jan 5 2024, 12:06 · security
DorianWinty added a comment to T1935: OPENSSH 9.6.
Jan 5 2024, 11:45 · security
DorianWinty added a comment to T1935: OPENSSH 9.6.

cloudhugger:

OpenSSH_8.4p1 Debian-5+deb11u3, OpenSSL 1.1.1w  11 Sep 2023

windriver:

OpenSSH_9.5p1, OpenSSL 3.0.12 24 Oct 2023

dwellers:

OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022

windriver:

OpenSSH_9.5p1, OpenSSL 3.0.12 24 Oct 2023

windriver:

OpenSSH_9.5p1, OpenSSL 3.0.12 24 Oct 2023

docker-002:

OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022

hervil:

OpenSSH_9.3p1, OpenSSL 1.1.1t-freebsd  7 Feb 2023

complector:

OpenSSH_9.3p1, OpenSSL 1.1.1t-freebsd  7 Feb 2023

db-A-001:

OpenSSH_9.3p2, OpenSSL 1.1.1t-freebsd  7 Feb 2023

db-B-001:

OpenSSH_9.3p1, OpenSSL 1.1.1t-freebsd  7 Feb 2023

web-001:

OpenSSH_9.3p1, OpenSSL 1.1.1t-freebsd  7 Feb 2023

router-001:

OpenSSH_9.3p1, OpenSSL 1.1.1t-freebsd  7 Feb 2023

ysul:

Minion did not return. [Not connected]

thrayce:

Minion did not return. [Not connected]
Jan 5 2024, 11:31 · security
DorianWinty created T1935: OPENSSH 9.6.
Jan 5 2024, 11:12 · security

Dec 17 2023

dereckson created T1928: Serve CAA DNS records.
Dec 17 2023, 14:03 · Servers, DNS, security
dereckson added a revision to T1228: Configure TLS for webserver-core role: D3251: Provide TLS 1.3 only nginx configuration.
Dec 17 2023, 14:00 · security, Servers
dereckson added a comment to T1228: Configure TLS for webserver-core role.

Situation has evolved since 2017, we currently configure nginx with TLSv1.2 + TLSv1.3,
per Mozilla intermediate configuration https://ssl-config.mozilla.org/

Dec 17 2023, 13:59 · security, Servers
dereckson updated the task description for T1228: Configure TLS for webserver-core role.
Dec 17 2023, 13:57 · security, Servers
dereckson renamed T1228: Configure TLS for webserver-core role from Configure TLS for Ysul to Configure TLS for webserver-core role.
Dec 17 2023, 13:57 · security, Servers

Jun 16 2023

dereckson updated subscribers of T1877: Evaluate Alcali - Salt front-end.
Jun 16 2023, 14:06 · security, Salt, Servers, Product evaluation

Jun 11 2023

dereckson added a comment to T1861: Configure static IPv6 on WindRiver.

Worked before (dhclient + routes), but on boot:

  • we've a correct fe80 address
  • no dhclient, but /usr/local/etc/rc.d/dhclient6 start does NOT complain dhclient6_enable="YES" is missing
  • when dhclient is started, our correct prefix is returned
  • no static IP assignment in current state (missing from /etc/netif/igb0_ipv6)
  • we can add manually IP in our prefix
  • routing is missing and can't be easily figured (the expectation was dhclient would take care of that)
Jun 11 2023, 11:23 · security, Servers, IPv6

Jun 7 2023

dereckson added a revision to T1861: Configure static IPv6 on WindRiver: D3185: Configure IPv6 with DUID for Online network.
Jun 7 2023, 00:41 · security, Servers, IPv6

Jun 3 2023

dereckson raised the priority of T1861: Configure static IPv6 on WindRiver from Normal to High.

Taking it as we've issues with the /128 one and I'd prefer to fix the /56 config than the /128 one.

Jun 3 2023, 21:31 · security, Servers, IPv6

May 29 2023

dereckson closed T1890: Deploy Vault on Eglide as Resolved.
May 29 2023, 17:18 · Odderon, IRC, Vault, security, Eglide
dereckson added a revision to T1890: Deploy Vault on Eglide: D3154: Help to configure Salt for Vault access on shellserver.
May 29 2023, 17:14 · Odderon, IRC, Vault, security, Eglide
dereckson added a revision to T1890: Deploy Vault on Eglide: D3153: Help operations to unseal Eglide Vault.
May 29 2023, 14:43 · Odderon, IRC, Vault, security, Eglide
dereckson added a revision to T1890: Deploy Vault on Eglide: D3152: Configure Vault on shellserver.
May 29 2023, 10:56 · Odderon, IRC, Vault, security, Eglide
dereckson added a comment to T1890: Deploy Vault on Eglide.

Server log

May 29 2023, 10:54 · Odderon, IRC, Vault, security, Eglide
dereckson added a parent task for T1890: Deploy Vault on Eglide: T1739: Add SASL capability to Darkbot.
May 29 2023, 02:29 · Odderon, IRC, Vault, security, Eglide
dereckson added a revision to T1890: Deploy Vault on Eglide: D3151: Install Vault on shellserver.
May 29 2023, 02:28 · Odderon, IRC, Vault, security, Eglide
dereckson added a parent task for T1890: Deploy Vault on Eglide: T1721: Move IRC bots from Freenode to Libera.
May 29 2023, 00:06 · Odderon, IRC, Vault, security, Eglide
dereckson moved T1890: Deploy Vault on Eglide from Backlog to Next to deploy on the Odderon board.
May 29 2023, 00:06 · Odderon, IRC, Vault, security, Eglide
dereckson triaged T1890: Deploy Vault on Eglide as Normal priority.
May 29 2023, 00:01 · Odderon, IRC, Vault, security, Eglide

May 25 2023

dereckson triaged T1878: Allow to run queries for reporting as Wishlist priority.
May 25 2023, 04:23 · Monitoring and reporting, security, DBA, Servers
dereckson moved T1878: Allow to run queries for reporting from Backlog to Services / Features on the DBA board.
May 25 2023, 04:23 · Monitoring and reporting, security, DBA, Servers

May 20 2023

dereckson added a revision to T1879: Draft a 2FA policy: D3115: Publish SQL queries for DevCentral reports.
May 20 2023, 18:20 · discussion, security, DevCentral
dereckson added a comment to T1879: Draft a 2FA policy.

Documentation available at https://devcentral.nasqueron.org/w/setup_2fa/

May 20 2023, 17:36 · discussion, security, DevCentral
dereckson edited the content of Setup 2FA.
May 20 2023, 17:32 · DevCentral, security
Next
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator