Page MenuHomeDevCentral
Feed Advanced Search

Advanced Search
Use Results
Hide Query

Thu, Feb 5

dereckson closed T2210: fullchain.pem isn't automatically generated by acme.sh as Resolved by committing rOPSc9cb237e5e18: Automate acme.sh install-cert cmd.
Thu, Feb 5, 22:53 · security, Mail
DorianWinty added a revision to T2210: fullchain.pem isn't automatically generated by acme.sh: D3906: Automate acme.sh install-cert cmd.
Thu, Feb 5, 22:04 · security, Mail
dereckson claimed T2210: fullchain.pem isn't automatically generated by acme.sh.

Patched it live.

Thu, Feb 5, 21:48 · security, Mail
dereckson updated subscribers of T2210: fullchain.pem isn't automatically generated by acme.sh.
Thu, Feb 5, 19:52 · security, Mail
dereckson triaged T2210: fullchain.pem isn't automatically generated by acme.sh as High priority.
Thu, Feb 5, 19:52 · security, Mail

Feb 3 2026

dereckson closed T2198: Create new account for duranzed for Samy as Resolved.
Feb 3 2026, 18:57 · security, Servers
dereckson added a revision to T2198: Create new account for duranzed for Samy: D3899: Add duranzed to shell users.
Feb 3 2026, 18:57 · security, Servers
dereckson reassigned T2198: Create new account for duranzed for Samy from dereckson to Duranzed.
Feb 3 2026, 18:56 · security, Servers
dereckson renamed T2198: Create new account for duranzed for Samy from SSH pubkey to add to Create new account for duranzed for Samy.
Feb 3 2026, 18:56 · security, Servers

Nov 10 2025

dereckson added a comment to T2183: Detect legacy SHA-1 RSA keys.

Bruteforce attack scenario possible, so we're only interested by usernames defined in users.sls, not by "root" (can't login by SSH) or generic accounts like "docker" (doesn't exist):

Nov 10 2025, 01:57 · security, Python, Eglide, Servers, Operations sprints (Echoes in the Void)
dereckson updated the task description for T2183: Detect legacy SHA-1 RSA keys.
Nov 10 2025, 01:55 · security, Python, Eglide, Servers, Operations sprints (Echoes in the Void)
dereckson updated the task description for T2183: Detect legacy SHA-1 RSA keys.
Nov 10 2025, 01:47 · security, Python, Eglide, Servers, Operations sprints (Echoes in the Void)
dereckson updated the task description for T2183: Detect legacy SHA-1 RSA keys.
Nov 10 2025, 01:16 · security, Python, Eglide, Servers, Operations sprints (Echoes in the Void)

Oct 25 2025

dereckson moved T1145: Don't truncate passwords from Backlog to General bug & features on the C board.
Oct 25 2025, 23:15 · C, security, Odderon
dereckson moved T1292: userlist.db is saved in 644 from Backlog to Network / System on the C board.
Oct 25 2025, 23:15 · C, good-first-issue, security, Odderon
dereckson added a project to T1145: Don't truncate passwords: C.
Oct 25 2025, 23:12 · C, security, Odderon
dereckson added a project to T1292: userlist.db is saved in 644: C.
Oct 25 2025, 23:12 · C, good-first-issue, security, Odderon

Oct 24 2025

dereckson added a comment to T2155: Review rotation for acme.sh logs.

Same issue for rhyne-wyse.log. Configuration was copied from acme.sh one.

Oct 24 2025, 23:05 · Restricted Project, security, Servers
dereckson closed T2132: Propagate acme.sh certificate so Dovecot can read it as Resolved.
Oct 24 2025, 19:33 · security, Mail, Restricted Project

Oct 20 2025

dereckson added a parent task for T2155: Review rotation for acme.sh logs: T2043: Switch to acme.sh instead of certbot.
Oct 20 2025, 23:06 · Restricted Project, security, Servers
dereckson triaged T2155: Review rotation for acme.sh logs as Normal priority.
Oct 20 2025, 22:52 · Restricted Project, security, Servers
dereckson added a project to T2154: IPv6 support for ns1.nasqueron.org: security.
Oct 20 2025, 22:49 · Servers, IPv6, DNS

Oct 11 2025

dereckson moved T1656: Convert daeghrefn. for Uspection use from Backlog to Need dev on the documentation board.
Oct 11 2025, 11:53 · upsection, security, documentation, IRC, Dæghrefn
dereckson moved T1657: Convert docs. for Uspection use from Backlog to Need dev on the documentation board.
Oct 11 2025, 11:53 · upsection, security, documentation
dereckson closed T1765: SELinux context is missing for /etc/nginx configuration files as Resolved.

The full /etc/nginx directories on both docker-002 and dwellers use httpd_config_t for every file.

Oct 11 2025, 11:44 · Operations sprints (Ignite Alkane Propulsion), Salt, security, Nasqueron Docker deployment squad, Servers
dereckson updated the task description for T1765: SELinux context is missing for /etc/nginx configuration files.
Oct 11 2025, 11:39 · Operations sprints (Ignite Alkane Propulsion), Salt, security, Nasqueron Docker deployment squad, Servers

Oct 10 2025

dereckson updated the task description for T2132: Propagate acme.sh certificate so Dovecot can read it.
Oct 10 2025, 22:25 · security, Mail, Restricted Project
dereckson moved T2132: Propagate acme.sh certificate so Dovecot can read it from Backlog to Pending review on the security board.
Oct 10 2025, 22:24 · security, Mail, Restricted Project
dereckson moved T2132: Propagate acme.sh certificate so Dovecot can read it from Backlog - On hold pending T1475 to Pending review on the Mail board.
Oct 10 2025, 22:24 · security, Mail, Restricted Project
dereckson added a revision to T2132: Propagate acme.sh certificate so Dovecot can read it: D3732: Enforce correct attributes for acme.sh private keys.
Oct 10 2025, 22:19 · security, Mail, Restricted Project
dereckson claimed T2132: Propagate acme.sh certificate so Dovecot can read it.
Oct 10 2025, 22:07 · security, Mail, Restricted Project

Oct 9 2025

dereckson added a comment to T1878: Allow to run queries for reporting.

Alternatively, we made a lot of progress on this in T2124.

Oct 9 2025, 14:41 · Monitoring and reporting, security, DBA, Servers

Oct 6 2025

dereckson updated the task description for T2132: Propagate acme.sh certificate so Dovecot can read it.
Oct 6 2025, 09:43 · security, Mail, Restricted Project

Sep 23 2025

dereckson updated the task description for T2132: Propagate acme.sh certificate so Dovecot can read it.
Sep 23 2025, 17:19 · security, Mail, Restricted Project
dereckson updated the task description for T2132: Propagate acme.sh certificate so Dovecot can read it.
Sep 23 2025, 17:18 · security, Mail, Restricted Project
dereckson added a revision to T2132: Propagate acme.sh certificate so Dovecot can read it: D3712: Share /var/certificates/<domain> for all mail services.
Sep 23 2025, 17:14 · security, Mail, Restricted Project
dereckson updated the task description for T2132: Propagate acme.sh certificate so Dovecot can read it.
Sep 23 2025, 16:42 · security, Mail, Restricted Project
dereckson updated the task description for T2132: Propagate acme.sh certificate so Dovecot can read it.
Sep 23 2025, 16:42 · security, Mail, Restricted Project
dereckson updated the task description for T2132: Propagate acme.sh certificate so Dovecot can read it.
Sep 23 2025, 16:22 · security, Mail, Restricted Project
dereckson moved T2132: Propagate acme.sh certificate so Dovecot can read it from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Sep 23 2025, 16:21 · security, Mail, Restricted Project
dereckson added a revision to T2132: Propagate acme.sh certificate so Dovecot can read it: D3711: Correct path for dovecot certificates.
Sep 23 2025, 16:19 · security, Mail, Restricted Project

Sep 22 2025

dereckson triaged T2132: Propagate acme.sh certificate so Dovecot can read it as High priority.
Sep 22 2025, 21:32 · security, Mail, Restricted Project

Sep 18 2025

dereckson updated the task description for T2040: Supersede Vault by OpenBao.
Sep 18 2025, 22:22 · security, Servers, Vault
dereckson updated the task description for T2040: Supersede Vault by OpenBao.
Sep 18 2025, 22:05 · security, Servers, Vault
dereckson added a comment to T2040: Supersede Vault by OpenBao.

So, there is a new reason to do the upgrade.

Sep 18 2025, 22:04 · security, Servers, Vault

Sep 14 2025

dereckson moved T1580: Deploy ACME-specific DNS server from DNS Server / KnotDNS to AcmeDNS on the DNS board.
Sep 14 2025, 23:11 · Operations sprints (Consolidate them all), DNS, security, Servers
dereckson moved T1580: Deploy ACME-specific DNS server from Backlog to DNS Server / KnotDNS on the DNS board.
Sep 14 2025, 23:10 · Operations sprints (Consolidate them all), DNS, security, Servers
dereckson moved T1928: Serve CAA DNS records from Backlog to DNS records on the DNS board.
Sep 14 2025, 23:10 · Servers, DNS, security

Sep 10 2025

dereckson renamed T2112: Renew Vault web server certificate automatically from Renew Vault HTTPS certificate automatically to Renew Vault web server certificate automatically.
Sep 10 2025, 19:38 · security, Servers
dereckson renamed T2112: Renew Vault web server certificate automatically from Renew Vault HTTP certificate automatically to Renew Vault HTTPS certificate automatically.
Sep 10 2025, 19:38 · security, Servers
dereckson renamed T2112: Renew Vault web server certificate automatically from Renew Vault certificate to Renew Vault HTTP certificate automatically.
Sep 10 2025, 19:38 · security, Servers
dereckson added a revision to T2112: Renew Vault web server certificate automatically: D3657: Renew Vault intermediate authority certificate.
Sep 10 2025, 19:34 · security, Servers
dereckson added a comment to T2112: Renew Vault web server certificate automatically.

First step is to create a script to renew all needed certificates:

Sep 10 2025, 19:31 · security, Servers

May 18 2025

dereckson added a project to T2115: Update Dwellers packages: security.
May 18 2025, 09:06 · Servers
dereckson triaged T2112: Renew Vault web server certificate automatically as High priority.
May 18 2025, 08:46 · security, Servers

Apr 5 2025

dereckson added a comment to T2107: j'aimerais avoir une présence permanente sur internet.

Une fois que tu as retrouvé les accès SSH pour le web statique:

Apr 5 2025, 13:55 · Eglide, security
dereckson added projects to T2107: j'aimerais avoir une présence permanente sur internet: security, Eglide.
Apr 5 2025, 13:51 · Eglide, security

Nov 2 2024

dereckson created Blog Post: SSH keys fingerprints for Dwellers.
Nov 2 2024, 18:17 · Servers, security

Oct 27 2024

dereckson moved T2075: Generate SSH keys for backup purpose from Backlog to Backup infrastructure on the Backups board.
Oct 27 2024, 01:09 · security, Servers, Backups, Salt
dereckson moved T2075: Generate SSH keys for backup purpose from Servers config to Require Salt dev on the Salt board.
Oct 27 2024, 01:00 · security, Servers, Backups, Salt
dereckson moved T2075: Generate SSH keys for backup purpose from Backlog to Servers config on the Salt board.
Oct 27 2024, 01:00 · security, Servers, Backups, Salt
dereckson triaged T2075: Generate SSH keys for backup purpose as Normal priority.
Oct 27 2024, 00:58 · security, Servers, Backups, Salt

Oct 23 2024

dereckson closed T2051: Can't renew TLS certificates verified through HTTP on docker engines as Resolved by committing rOPSb99907864885: Allow nginx to read /.well-known/acme-challenge.
Oct 23 2024, 16:38 · security, Nasqueron Docker deployment squad, Servers

Oct 13 2024

dereckson moved T1861: Configure static IPv6 on WindRiver from Backlog to Knowledge sharing is needed on the IPv6 board.
Oct 13 2024, 12:04 · security, Servers, IPv6
dereckson added a comment to T1861: Configure static IPv6 on WindRiver.

So, to get routing back:

Oct 13 2024, 12:03 · security, Servers, IPv6

Oct 12 2024

dereckson moved T1765: SELinux context is missing for /etc/nginx configuration files from Backlog - Docker to Backlog - Alkane/Webservers on the Operations sprints (Ignite Alkane Propulsion) board.
Oct 12 2024, 10:21 · Operations sprints (Ignite Alkane Propulsion), Salt, security, Nasqueron Docker deployment squad, Servers
dereckson closed T619: Allow to control from TC2 the Docker engine as Wontfix.

Not sure of the current benefit to use TC2.

Oct 12 2024, 10:16 · Operations sprints (Operations sprint 1), security, Nasqueron Docker deployment squad, Servers, Dæghrefn
dereckson moved T1486: Evaluate Archery from Backlog to Not for this sprint on the Operations sprints (Move the ambiant lights) board.
Oct 12 2024, 10:07 · security, Product evaluation, Operations sprints (Move the ambiant lights)
dereckson moved T1602: Provision ACME DNS credentials for core domains on each servers from Backlog to Backlog - Alkane/Webservers on the Operations sprints (Ignite Alkane Propulsion) board.
Oct 12 2024, 09:48 · Operations sprints (Ignite Alkane Propulsion), security, Servers
dereckson edited projects for T1602: Provision ACME DNS credentials for core domains on each servers, added: Operations sprints (Ignite Alkane Propulsion); removed Operations sprints (Consolidate them all).
Oct 12 2024, 09:47 · Operations sprints (Ignite Alkane Propulsion), security, Servers
dereckson moved T1602: Provision ACME DNS credentials for core domains on each servers from Pending review to Not for this sprint on the Operations sprints (Consolidate them all) board.
Oct 12 2024, 09:47 · Operations sprints (Ignite Alkane Propulsion), security, Servers
dereckson added a comment to T1602: Provision ACME DNS credentials for core domains on each servers.

This is still needed for acme.sh if we want to provision different *.nasqueron.org certificates on different servers.

Oct 12 2024, 09:47 · Operations sprints (Ignite Alkane Propulsion), security, Servers
dereckson added a subtask for T1602: Provision ACME DNS credentials for core domains on each servers: T1599: Install TLS wildcard certificates for nginx fallback vhost.
Oct 12 2024, 09:44 · Operations sprints (Ignite Alkane Propulsion), security, Servers

Oct 9 2024

dereckson lowered the priority of T2051: Can't renew TLS certificates verified through HTTP on docker engines from High to Normal.
Oct 9 2024, 18:45 · security, Nasqueron Docker deployment squad, Servers
dereckson updated the task description for T2051: Can't renew TLS certificates verified through HTTP on docker engines.
Oct 9 2024, 18:45 · security, Nasqueron Docker deployment squad, Servers
dereckson added a comment to T2051: Can't renew TLS certificates verified through HTTP on docker engines.

Salt SELinux module issue

Oct 9 2024, 18:45 · security, Nasqueron Docker deployment squad, Servers
dereckson updated the task description for T2051: Can't renew TLS certificates verified through HTTP on docker engines.
Oct 9 2024, 18:07 · security, Nasqueron Docker deployment squad, Servers
dereckson added a revision to T2051: Can't renew TLS certificates verified through HTTP on docker engines: D3501: Allow nginx to read /.well-known/acme-challenge.
Oct 9 2024, 17:48 · security, Nasqueron Docker deployment squad, Servers
dereckson moved T2051: Can't renew TLS certificates verified through HTTP on docker engines from Backlog to Pending review on the Servers board.
Oct 9 2024, 17:43 · security, Nasqueron Docker deployment squad, Servers
dereckson moved T2051: Can't renew TLS certificates verified through HTTP on docker engines from Backlog to Working on on the Nasqueron Docker deployment squad board.

SELinux context was the default for anything created under /var, which we didn't allow and aren't interested to allow for nginx.

Oct 9 2024, 17:43 · security, Nasqueron Docker deployment squad, Servers
dereckson triaged T2051: Can't renew TLS certificates verified through HTTP on docker engines as High priority.
Oct 9 2024, 16:02 · security, Nasqueron Docker deployment squad, Servers
dereckson created T2051: Can't renew TLS certificates verified through HTTP on docker engines.
Oct 9 2024, 16:01 · security, Nasqueron Docker deployment squad, Servers

Oct 3 2024

dereckson created Blog Post: WindRiver moved to a new home. New SSH keys..
Oct 3 2024, 19:42 · security, Servers
dereckson added a comment to T2040: Supersede Vault by OpenBao.

Yes, it's a fork from Vault 1.14 so we've all the features of token generation. back to the shorter s. tokens).

Oct 3 2024, 17:26 · security, Servers, Vault
DorianWinty added a comment to T2040: Supersede Vault by OpenBao.
  • about the UI it could be usefull managing secrets more easyly
Oct 3 2024, 17:23 · security, Servers, Vault
dereckson moved T2040: Supersede Vault by OpenBao from Backlog to Analysis / under discussion on the Servers board.
Oct 3 2024, 15:21 · security, Servers, Vault
dereckson triaged T2040: Supersede Vault by OpenBao as Normal priority.
Oct 3 2024, 15:21 · security, Servers, Vault

Sep 12 2024

dereckson shifted T1996: Servers on hyper-001 have network issues from the Restricted Space space to the S1 Nasqueron space.
Sep 12 2024, 18:16 · security, Servers
dereckson closed T1996: Servers on hyper-001 have network issues as Wontfix.

Can't repro

Sep 12 2024, 18:15 · security, Servers
dereckson added a revision to T930: Secrets to migrate from DevCentral to Vault: D3441: Prune Zemke-Rhyne.
Sep 12 2024, 17:02 · User-Dereckson, Vault, Nasqueron Operations Squad, security

Sep 8 2024

Sandlayth closed T2013: Add new public ssh-key belonging to user sandlayth as Resolved by committing rOPS257aa8d9e00c: Add new public ssh-key belonging to user sandlayth.
Sep 8 2024, 09:07 · security, Servers
Sandlayth added a revision to T2013: Add new public ssh-key belonging to user sandlayth: D3433: Add new public ssh-key belonging to user sandlayth.
Sep 8 2024, 09:06 · security, Servers

Sep 5 2024

Sandlayth triaged T2013: Add new public ssh-key belonging to user sandlayth as Low priority.
Sep 5 2024, 20:40 · security, Servers

Aug 17 2024

dereckson closed T853: Deploy a Let's encrypt certificate to the Mumble server as Wontfix.

Mumble isn't currently in scope.

Aug 17 2024, 14:56 · good-first-issue, Mumble, security, Servers
dereckson closed T853: Deploy a Let's encrypt certificate to the Mumble server, a subtask of T654: Apply Let's encrypt SSL certificates for *.nasqueron.org, as Wontfix.
Aug 17 2024, 14:56 · security, Servers

Aug 4 2024

dereckson closed T1928: Serve CAA DNS records as Resolved.

Both are already set in DNS:

Aug 4 2024, 17:45 · Servers, DNS, security
dereckson added a comment to T1928: Serve CAA DNS records.

We use a wildcard certificate, so issuewild is needed, yes.

Aug 4 2024, 17:44 · Servers, DNS, security
dereckson claimed T1928: Serve CAA DNS records.
Aug 4 2024, 17:43 · Servers, DNS, security
dereckson moved T1879: Draft a 2FA policy from Backlog to Nasqueron Operations SIG on the discussion board.
Aug 4 2024, 17:42 · discussion, security, DevCentral
dereckson updated subscribers of T1879: Draft a 2FA policy.

@Ash-Crow @fauve @rama @replicatorbe @Sandlayth @xcombelle Any feedback on this?

Aug 4 2024, 17:41 · discussion, security, DevCentral
Next
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator