From rt at rt.debian.org Sat Oct 19 10:17:01 2024 From: rt at rt.debian.org (Philipp Kern via RT) Date: Sat, 19 Oct 2024 09:17:01 +0000 Subject: [Debian-rtc-admin] [rt.debian.org #8257] Allow debvoip to sudoedit prosody config files on vogler In-Reply-To: References: <20200613120504.mj3vghcwdxgj5o2m@zumbi.com.ar> Message-ID: Hi, I have found this somewhat old ticket. On Sat Jun 13 12:05:13 2020, gfa at zumbi.com.ar wrote: > first, thanks for moving the ticket to the appropiate queue > > 2 weeks ago part of the RTC team had a discussion on how to improve > the > service and how can we make changes faster > > there are a few things we need from you guys > > - Allow debvoip to sudoedit /etc/prosody/* on vogler > We need this to make transient changes to the configuration, like > debugging a connection problem or a report of spam. > A typical use will be to change the logging level to debug then roll > it back Unfortunately we cannot do this, at least for now. I assume turning on debug logging in general would be too privacy intruding? > - Allow debvoip to su - to prosody > Sometimes we need to investigate a message coming from an spammer to > our users, the only way to do that is to check the actual message in > /var/lib/prosody > To clarify the how and when we may do this, we started to write a > privacy policy / Tos so our users know what can they expect from us > https://salsa.debian.org/rtc-team/terms-of-service This repository still looks like it is empty, unless I am missing something. > - Create a unix local user to use it from gitlab > we want to deploy changes to the antispam and other things directly > from salsa, and for that we need a dedicated user with SSH access > and > belonging to the debvoip team. > We could also have this user outside the debvoip team but then we'll > need to add sudo access to this particular user. > We propose the name debvoip-salsa for this user but we dont care if > you guys prefer a different name > > - Install nginx, configure a vhost and open the firewall ports > To provide BOSH and HTTP uploads over the port 443 we need to use > nginx, we'll manage this ourselves, a puppet patch is coming for > this > purpose Are these two still current? Kind regards and thanks Philipp Kern From debacle at debian.org Sat Oct 19 14:32:55 2024 From: debacle at debian.org (Martin) Date: Sat, 19 Oct 2024 13:32:55 +0000 Subject: [Debian-rtc-admin] [rt.debian.org #8257] Allow debvoip to sudoedit prosody config files on vogler In-Reply-To: (Philipp Kern via's message of "Sat, 19 Oct 2024 09:17:01 +0000") References: <20200613120504.mj3vghcwdxgj5o2m@zumbi.com.ar> Message-ID: <8734ks2p6g.fsf@fama.lan> Dear Philipp, dear Gustavo, thanks for looking into this issue! On 2024-10-19 09:17, Philipp Kern via RT wrote: > On Sat Jun 13 12:05:13 2020, gfa at zumbi.com.ar wrote: >> - Allow debvoip to sudoedit /etc/prosody/* on vogler >> We need this to make transient changes to the configuration, like >> debugging a connection problem or a report of spam. >> A typical use will be to change the logging level to debug then roll >> it back > > Unfortunately we cannot do this, at least for now. I assume turning on debug logging in general would be too privacy intruding? TTBOMK, full debug log shows "everything". Admin can see all contact and all messages, if they are not e2ee. I can check with prosody upstream if there is a debug mode, that is less problematic and still helpful for our use case. In that case, I suggest, that :debvoip group can only switch on and off this specific mode. E.g. by something like "touch /etc/prosody/turn-on-debug && systemctl reload prosody" or whatever. >> - Allow debvoip to su - to prosody >> Sometimes we need to investigate a message coming from an spammer to >> our users, the only way to do that is to check the actual message in >> /var/lib/prosody >> To clarify the how and when we may do this, we started to write a >> privacy policy / Tos so our users know what can they expect from us >> https://salsa.debian.org/rtc-team/terms-of-service > > This repository still looks like it is empty, unless I am missing something. It was and still is a good idea, to have a ToS document. Maybe we can re-use a proven one from elsewhere? >> - Create a unix local user to use it from gitlab >> we want to deploy changes to the antispam and other things directly >> from salsa, and for that we need a dedicated user with SSH access >> and >> belonging to the debvoip team. >> We could also have this user outside the debvoip team but then we'll >> need to add sudo access to this particular user. >> We propose the name debvoip-salsa for this user but we dont care if >> you guys prefer a different name gfa did create the files in /srv/prosody/antispam/ and members of :debvoip can edit them. So I guess, that this issue is solved? >> - Install nginx, configure a vhost and open the firewall ports >> To provide BOSH and HTTP uploads over the port 443 we need to use >> nginx, we'll manage this ourselves, a puppet patch is coming for >> this >> purpose I believe, that we should have nginx on vogler on ports 443 and 80. It's needed not only for BOSH and HTTP file upload, but it is also a very good idea to run xmpps (XMPP over direct TLS) on port 443. Last time in a British train, I only could connect to my private Jabber server on port 443, but not the Debian server. I can prepare an Nginx config, NP. Cheers PS: I recently sent a git patch on the DSA mailing list improving the group chat function of our server. If you or somebody else could apply it, that would be great. From rt at rt.debian.org Sat Oct 19 14:33:05 2024 From: rt at rt.debian.org (W. Martin Borgert via RT) Date: Sat, 19 Oct 2024 13:33:05 +0000 Subject: [Debian-rtc-admin] [rt.debian.org #8257] Allow debvoip to sudoedit prosody config files on vogler In-Reply-To: <8734ks2p6g.fsf@fama.lan> References: <20200613120504.mj3vghcwdxgj5o2m@zumbi.com.ar> <8734ks2p6g.fsf@fama.lan> Message-ID: Dear Philipp, dear Gustavo, thanks for looking into this issue! On 2024-10-19 09:17, Philipp Kern via RT wrote: > On Sat Jun 13 12:05:13 2020, gfa at zumbi.com.ar wrote: >> - Allow debvoip to sudoedit /etc/prosody/* on vogler >> We need this to make transient changes to the configuration, like >> debugging a connection problem or a report of spam. >> A typical use will be to change the logging level to debug then roll >> it back > > Unfortunately we cannot do this, at least for now. I assume turning on debug logging in general would be too privacy intruding? TTBOMK, full debug log shows "everything". Admin can see all contact and all messages, if they are not e2ee. I can check with prosody upstream if there is a debug mode, that is less problematic and still helpful for our use case. In that case, I suggest, that :debvoip group can only switch on and off this specific mode. E.g. by something like "touch /etc/prosody/turn-on-debug && systemctl reload prosody" or whatever. >> - Allow debvoip to su - to prosody >> Sometimes we need to investigate a message coming from an spammer to >> our users, the only way to do that is to check the actual message in >> /var/lib/prosody >> To clarify the how and when we may do this, we started to write a >> privacy policy / Tos so our users know what can they expect from us >> https://salsa.debian.org/rtc-team/terms-of-service > > This repository still looks like it is empty, unless I am missing something. It was and still is a good idea, to have a ToS document. Maybe we can re-use a proven one from elsewhere? >> - Create a unix local user to use it from gitlab >> we want to deploy changes to the antispam and other things directly >> from salsa, and for that we need a dedicated user with SSH access >> and >> belonging to the debvoip team. >> We could also have this user outside the debvoip team but then we'll >> need to add sudo access to this particular user. >> We propose the name debvoip-salsa for this user but we dont care if >> you guys prefer a different name gfa did create the files in /srv/prosody/antispam/ and members of :debvoip can edit them. So I guess, that this issue is solved? >> - Install nginx, configure a vhost and open the firewall ports >> To provide BOSH and HTTP uploads over the port 443 we need to use >> nginx, we'll manage this ourselves, a puppet patch is coming for >> this >> purpose I believe, that we should have nginx on vogler on ports 443 and 80. It's needed not only for BOSH and HTTP file upload, but it is also a very good idea to run xmpps (XMPP over direct TLS) on port 443. Last time in a British train, I only could connect to my private Jabber server on port 443, but not the Debian server. I can prepare an Nginx config, NP. Cheers PS: I recently sent a git patch on the DSA mailing list improving the group chat function of our server. If you or somebody else could apply it, that would be great. From rt at rt.debian.org Sat Oct 19 15:26:58 2024 From: rt at rt.debian.org (Philipp Kern via RT) Date: Sat, 19 Oct 2024 14:26:58 +0000 Subject: [Debian-rtc-admin] [rt.debian.org #8257] Allow debvoip to sudoedit prosody config files on vogler In-Reply-To: <73356536-e7a9-4f35-8fa3-fab4b499abb8@debian.org> References: <20200613120504.mj3vghcwdxgj5o2m@zumbi.com.ar> <8734ks2p6g.fsf@fama.lan> <73356536-e7a9-4f35-8fa3-fab4b499abb8@debian.org> Message-ID: Hi, On 10/19/24 3:33 PM, W. Martin Borgert via RT wrote: > TTBOMK, full debug log shows "everything". Admin can see all contact and > all messages, if they are not e2ee. I can check with prosody upstream if > there is a debug mode, that is less problematic and still helpful for > our use case. In that case, I suggest, that :debvoip group can only > switch on and off this specific mode. E.g. by something like "touch > /etc/prosody/turn-on-debug && systemctl reload prosody" or whatever. It'd be good if this would not hit the disk. [...]> I believe, that we should have nginx on vogler on ports 443 and 80. > It's needed not only for BOSH and HTTP file upload, but it is also a > very good idea to run xmpps (XMPP over direct TLS) on port 443. Last > time in a British train, I only could connect to my private Jabber > server on port 443, but not the Debian server. Could we also do it with apache? We don't currently run nginx. > PS: I recently sent a git patch on the DSA mailing list improving the > group chat function of our server. If you or somebody else could apply > it, that would be great. It'd be good if you'd attach it here. Thanks! Kind regards Philipp Kern From debacle at debian.org Sat Oct 19 15:50:54 2024 From: debacle at debian.org (Martin) Date: Sat, 19 Oct 2024 14:50:54 +0000 Subject: [Debian-rtc-admin] [rt.debian.org #8257] Allow debvoip to sudoedit prosody config files on vogler In-Reply-To: (Philipp Kern via's message of "Sat, 19 Oct 2024 14:26:58 +0000") References: <20200613120504.mj3vghcwdxgj5o2m@zumbi.com.ar> <8734ks2p6g.fsf@fama.lan> <73356536-e7a9-4f35-8fa3-fab4b499abb8@debian.org> Message-ID: <87cyjw1701.fsf@fama.lan> Hi Philipp, On 2024-10-19 14:26, Philipp Kern via RT wrote: > On 10/19/24 3:33 PM, W. Martin Borgert via RT wrote: >> TTBOMK, full debug log shows "everything". Admin can see all contact and >> all messages, if they are not e2ee. I can check with prosody upstream if >> there is a debug mode, that is less problematic and still helpful for >> our use case. In that case, I suggest, that :debvoip group can only >> switch on and off this specific mode. E.g. by something like "touch >> /etc/prosody/turn-on-debug && systemctl reload prosody" or whatever. > > It'd be good if this would not hit the disk. I'll ask upstream about it. As prosody is written and configured in Lua, everything should be possible. > [...]> I believe, that we should have nginx on vogler on ports 443 and 80. >> It's needed not only for BOSH and HTTP file upload, but it is also a >> very good idea to run xmpps (XMPP over direct TLS) on port 443. Last >> time in a British train, I only could connect to my private Jabber >> server on port 443, but not the Debian server. > > Could we also do it with apache? We don't currently run nginx. I guess so, but I lost all my Apache knowledge some years ago. I use nginx on my private Jabber server to disentangle various TLS protocols all on the same port 443: stream { map $ssl_preread_alpn_protocols $upstream { default httpserver; "xmpp-client" xmppserver; "stun.turn" turnserver; "stun.nat-discovery" turnserver; } } sslh can do that, too, but I'm not sure about the syntax. Also, I remember rumours, that nginx were somehow "better" than sslh for that task. I can check that in the XMPP operators groups chat. >> PS: I recently sent a git patch on the DSA mailing list improving the >> group chat function of our server. If you or somebody else could apply >> it, that would be great. > > It'd be good if you'd attach it here. Thanks! Sure! Cheers, Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-activate-MAM-and-vcard-for-MUC.patch Type: text/x-diff Size: 1037 bytes Desc: MUC patch URL: From rt at rt.debian.org Sat Oct 19 15:51:03 2024 From: rt at rt.debian.org (W. Martin Borgert via RT) Date: Sat, 19 Oct 2024 14:51:03 +0000 Subject: [Debian-rtc-admin] [rt.debian.org #8257] Allow debvoip to sudoedit prosody config files on vogler In-Reply-To: <87cyjw1701.fsf@fama.lan> References: <20200613120504.mj3vghcwdxgj5o2m@zumbi.com.ar> <8734ks2p6g.fsf@fama.lan> <73356536-e7a9-4f35-8fa3-fab4b499abb8@debian.org> <87cyjw1701.fsf@fama.lan> Message-ID: Hi Philipp, On 2024-10-19 14:26, Philipp Kern via RT wrote: > On 10/19/24 3:33 PM, W. Martin Borgert via RT wrote: >> TTBOMK, full debug log shows "everything". Admin can see all contact and >> all messages, if they are not e2ee. I can check with prosody upstream if >> there is a debug mode, that is less problematic and still helpful for >> our use case. In that case, I suggest, that :debvoip group can only >> switch on and off this specific mode. E.g. by something like "touch >> /etc/prosody/turn-on-debug && systemctl reload prosody" or whatever. > > It'd be good if this would not hit the disk. I'll ask upstream about it. As prosody is written and configured in Lua, everything should be possible. > [...]> I believe, that we should have nginx on vogler on ports 443 and 80. >> It's needed not only for BOSH and HTTP file upload, but it is also a >> very good idea to run xmpps (XMPP over direct TLS) on port 443. Last >> time in a British train, I only could connect to my private Jabber >> server on port 443, but not the Debian server. > > Could we also do it with apache? We don't currently run nginx. I guess so, but I lost all my Apache knowledge some years ago. I use nginx on my private Jabber server to disentangle various TLS protocols all on the same port 443: stream { map $ssl_preread_alpn_protocols $upstream { default httpserver; "xmpp-client" xmppserver; "stun.turn" turnserver; "stun.nat-discovery" turnserver; } } sslh can do that, too, but I'm not sure about the syntax. Also, I remember rumours, that nginx were somehow "better" than sslh for that task. I can check that in the XMPP operators groups chat. >> PS: I recently sent a git patch on the DSA mailing list improving the >> group chat function of our server. If you or somebody else could apply >> it, that would be great. > > It'd be good if you'd attach it here. Thanks! Sure! Cheers, Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-activate-MAM-and-vcard-for-MUC.patch Type: text/x-diff Size: 1037 bytes Desc: not available URL: