[Debian-rtc-admin] [rt.debian.org #8257] Allow debvoip to sudoedit prosody config files on vogler

Sat Oct 19 14:33:05 BST 2024

Dear Philipp, dear Gustavo,

thanks for looking into this issue!

On 2024-10-19 09:17, Philipp Kern via RT wrote:
> On Sat Jun 13 12:05:13 2020, gfa at zumbi.com.ar wrote:
>> - Allow debvoip to sudoedit /etc/prosody/* on vogler
>>   We need this to make transient changes to the configuration, like
>>   debugging a connection problem or a report of spam.
>>   A typical use will be to change the logging level to debug then roll
>>   it back
>
> Unfortunately we cannot do this, at least for now. I assume turning on debug logging in general would be too privacy intruding?

TTBOMK, full debug log shows "everything". Admin can see all contact and
all messages, if they are not e2ee. I can check with prosody upstream if
there is a debug mode, that is less problematic and still helpful for
our use case. In that case, I suggest, that :debvoip group can only
switch on and off this specific mode. E.g. by something like "touch
/etc/prosody/turn-on-debug && systemctl reload prosody" or whatever.

>> - Allow debvoip to su - to prosody
>>   Sometimes we need to investigate a message coming from an spammer to
>>   our users, the only way to do that is to check the actual message in
>>   /var/lib/prosody
>>   To clarify the how and when we may do this, we started to write a
>>   privacy policy / Tos so our users know what can they expect from us
>>   https://salsa.debian.org/rtc-team/terms-of-service
>
> This repository still looks like it is empty, unless I am missing something.

It was and still is a good idea, to have a ToS document. Maybe we can
re-use a proven one from elsewhere?

>> - Create a unix local user to use it from gitlab
>>   we want to deploy changes to the antispam and other things directly
>>   from salsa, and for that we need a dedicated user with SSH access
>> and
>>   belonging to the debvoip team.
>>   We could also have this user outside the debvoip team but then we'll
>>   need to add sudo access to this particular user.
>>   We propose the name debvoip-salsa for this user but we dont care if
>>   you guys prefer a different name

gfa did create the files in /srv/prosody/antispam/ and members of
:debvoip can edit them. So I guess, that this issue is solved?

>> - Install nginx, configure a vhost and open the firewall ports
>>   To provide BOSH and HTTP uploads over the port 443 we need to use
>>   nginx, we'll manage this ourselves, a puppet patch is coming for
>> this
>>   purpose

I believe, that we should have nginx on vogler on ports 443 and 80.
It's needed not only for BOSH and HTTP file upload, but it is also a
very good idea to run xmpps (XMPP over direct TLS) on port 443. Last
time in a British train, I only could connect to my private Jabber
server on port 443, but not the Debian server.

I can prepare an Nginx config, NP.

Cheers

PS: I recently sent a git patch on the DSA mailing list improving the
group chat function of our server. If you or somebody else could apply
it, that would be great.