From b0698090da0dc44437b51a6b69ac55dd24a7e1d3 Mon Sep 17 00:00:00 2001
From: sgk <sgk@riseup.net>
Date: Sat, 13 Jul 2024 09:18:45 +0530
Subject: [PATCH] git subrepo pull (merge) float

subrepo:
  subdir:   "float"
  merged:   "89039534"
upstream:
  origin:   "https://git.autistici.org/ai3/float.git"
  branch:   "master"
  commit:   "89039534"
git-subrepo:
  version:  "0.4.7"
  origin:   "https://github.com/ingydotnet/git-subrepo"
  commit:   "c9ec2a6"
---
 float/.gitrepo                                     |  6 +++---
 float/float                                        |  7 +++----
 float/plugins/action/x509_ca.py                    |  2 +-
 .../templates/litestream-restore-script.j2         |  2 +-
 .../roles/float-base/files/modprobe-hardening.conf |  3 ---
 float/roles/float-base/tasks/debian_misc.yml       |  5 +++++
 float/roles/float-base/templates/modules.conf.j2   |  2 ++
 .../roles/float-infra-acme/templates/config.yml.j2 |  6 +++---
 float/roles/float-infra-dns/files/in-view.sed      | 10 ++++++++++
 float/roles/float-infra-dns/tasks/main.yml         | 14 ++++++++++++--
 .../templates/bind/named.conf.local                |  4 ++--
 .../templates/bind/named.conf.options              |  3 +++
 float/roles/float-infra-dns/templates/update-dns   | 14 +++++++++++++-
 .../templates/elasticsearch/log4j2.properties      |  3 +++
 .../templates/rules/rules_ssl_probes.conf.yml      |  2 +-
 float/roles/float-util-credentials/tasks/main.yml  |  2 +-
 16 files changed, 63 insertions(+), 22 deletions(-)
 create mode 100644 float/roles/float-base/templates/modules.conf.j2
 create mode 100644 float/roles/float-infra-dns/files/in-view.sed

diff --git a/float/.gitrepo b/float/.gitrepo
index 88bd8cc6..60b6a9b1 100644
--- a/float/.gitrepo
+++ b/float/.gitrepo
@@ -6,7 +6,7 @@
 [subrepo]
 	remote = https://git.autistici.org/ai3/float.git
 	branch = master
-	commit = b02a3496b03886b59f9b1fd6c197d06c4a9ce66d
-	parent = c6d787af527667d24631d61f7b3050d25cce8139
-	cmdver = 0.4.6
+	commit = 89039534fb72c317de51d7a5c2f8e6815d61b982
+	parent = 155d2691324dc97829db4e0a5f77b512bb8c0647
+	cmdver = 0.4.7
 	method = merge
diff --git a/float/float b/float/float
index d2727f32..eae52a4b 100755
--- a/float/float
+++ b/float/float
@@ -364,14 +364,13 @@ def command_create_env(path, services, passwords, playbooks,
     # Catch ValueError to handle parsing errors for composite-valued
     # options and print a friendly message.
     try:
-        all_vars['inventory']['hosts'] = _random_hosts(
-            num_hosts,
-            _parse_additional_host_groups(additional_host_groups),
-        )
+        extra_memberships = _parse_additional_host_groups(additional_host_groups)
     except ValueError:
         print('Unable to parse additional-host-group spec', file=sys.stderr)
         return 1
 
+    all_vars['inventory']['hosts'] = _random_hosts(num_hosts, extra_memberships)
+
     all_vars['ram'] = ram
     all_vars['config']['domain_public'] = [domain]
     all_vars['config']['domain'] = (
diff --git a/float/plugins/action/x509_ca.py b/float/plugins/action/x509_ca.py
index 155601ee..d1125dc7 100644
--- a/float/plugins/action/x509_ca.py
+++ b/float/plugins/action/x509_ca.py
@@ -53,6 +53,6 @@ class ActionModule(ActionBase):
                     'x509ca', 'init', '--subject=' + ca_subject,
                     '--ca-cert=' + ca_cert_path, '--ca-key=' + tmp_ca_key_path])
                 vault_encrypt(tmp_ca_key_path, ca_key_path)
-        
+
         result['changed'] = changed
         return result
diff --git a/float/roles/float-base-datasets/templates/litestream-restore-script.j2 b/float/roles/float-base-datasets/templates/litestream-restore-script.j2
index f37e36dc..05778ce7 100644
--- a/float/roles/float-base-datasets/templates/litestream-restore-script.j2
+++ b/float/roles/float-base-datasets/templates/litestream-restore-script.j2
@@ -6,7 +6,7 @@
 set -a
 . /etc/litestream/{{ dataset_tag }}.env
 
-/usr/bin/litestream restore --config=/etc/litestream/{{ dataset_tag }}.yml --if-replica-exists -v "{{ dataset_path }}/{{ dataset_filename }}"
+/usr/bin/litestream restore --config=/etc/litestream/{{ dataset_tag }}.yml --if-replica-exists "{{ dataset_path }}/{{ dataset_filename }}"
 
 if [ $? -gt 0 ]; then
     echo "ERROR: restore failed!" >&2
diff --git a/float/roles/float-base/files/modprobe-hardening.conf b/float/roles/float-base/files/modprobe-hardening.conf
index c0cd23ff..1ac8e81b 100644
--- a/float/roles/float-base/files/modprobe-hardening.conf
+++ b/float/roles/float-base/files/modprobe-hardening.conf
@@ -1,6 +1,3 @@
-# Disable automatic conntrack helper assignment.
-options nf_conntrack nf_conntrack_helper=0
-
 # Obscure network protocols with a bad security track record.
 install dccp /bin/false
 install sctp /bin/false
diff --git a/float/roles/float-base/tasks/debian_misc.yml b/float/roles/float-base/tasks/debian_misc.yml
index 6b305e44..f49112ed 100644
--- a/float/roles/float-base/tasks/debian_misc.yml
+++ b/float/roles/float-base/tasks/debian_misc.yml
@@ -38,6 +38,11 @@
     dest: "/etc/sysctl.conf"
   notify: reload sysctl
 
+- name: Configure kernel modules
+  template:
+    src: "modules.conf.j2"
+    dest: "/etc/modules-load.d/float-base.conf"
+
 - name: Configure systemd
   copy:
     src: "system.conf"
diff --git a/float/roles/float-base/templates/modules.conf.j2 b/float/roles/float-base/templates/modules.conf.j2
new file mode 100644
index 00000000..f25d925e
--- /dev/null
+++ b/float/roles/float-base/templates/modules.conf.j2
@@ -0,0 +1,2 @@
+# Make nf_conntrack sysctl available
+nf_conntrack
diff --git a/float/roles/float-infra-acme/templates/config.yml.j2 b/float/roles/float-infra-acme/templates/config.yml.j2
index 8533272b..eecede7a 100644
--- a/float/roles/float-infra-acme/templates/config.yml.j2
+++ b/float/roles/float-infra-acme/templates/config.yml.j2
@@ -10,9 +10,9 @@ http:
   enabled: true
 dns:
   enabled: true
-  tsig_key_name: "acme"
-  tsig_key_algo: "{{ acme_tsig_key.algo }}"
-  tsig_key_secret: "{{ acme_tsig_key.private }}"
+  tsig_key_name: "acme."
+  tsig_key_algo: "{{ acme_tsig_key.algo | lower }}."
+  tsig_key_secret: "{{ acme_tsig_key.public }}"
   nameservers:
 {% for h in services['dns'].hosts | sort %}
     - {{ h }}.dns.{{ domain }}
diff --git a/float/roles/float-infra-dns/files/in-view.sed b/float/roles/float-infra-dns/files/in-view.sed
new file mode 100644
index 00000000..507eb209
--- /dev/null
+++ b/float/roles/float-infra-dns/files/in-view.sed
@@ -0,0 +1,10 @@
+# Script to convert each zone in a view to a series of in-view declarations
+1i\
+// Automatically generated, do not edit.
+/^zone/{
+a\
+	in-view "internal-in";\
+};
+p
+}
+
diff --git a/float/roles/float-infra-dns/tasks/main.yml b/float/roles/float-infra-dns/tasks/main.yml
index 99d0a1b5..5c522436 100644
--- a/float/roles/float-infra-dns/tasks/main.yml
+++ b/float/roles/float-infra-dns/tasks/main.yml
@@ -29,6 +29,11 @@
   notify: reload bind
   register: dns_config
 
+- name: Install in-view.sed script
+  copy:
+    src: "in-view.sed"
+    dest: "/etc/bind/in-view.sed"
+
 - name: Create bind9 zone dirs
   file:
     path: "/etc/bind/zones"
@@ -60,6 +65,7 @@
   changed_when: false
   with_items:
     - named.conf.zones
+    - named.conf.zones.in-view
     - named.conf.internal-custom-zones
     - named.conf.external-custom-zones
 
@@ -103,13 +109,17 @@
   file:
     path: "/etc/credentials/dnssec"
     state: directory
-    mode: 0700
+    owner: root
+    group: bind
+    mode: 0750
 
 - name: Install DNSSEC keys
   copy:
     src: "{{ item }}"
     dest: "/etc/credentials/dnssec/{{ item | basename }}"
-    mode: 0600
+    owner: root
+    group: bind
+    mode: 0640
   with_fileglob:
     - "{{ credentials_dir }}/dnssec/K*.private"
     - "{{ credentials_dir }}/dnssec/K*.key"
diff --git a/float/roles/float-infra-dns/templates/bind/named.conf.local b/float/roles/float-infra-dns/templates/bind/named.conf.local
index baa7da72..7b4fb378 100644
--- a/float/roles/float-infra-dns/templates/bind/named.conf.local
+++ b/float/roles/float-infra-dns/templates/bind/named.conf.local
@@ -32,6 +32,6 @@ view "external-in" in {
   // Include manually-maintained zones.
   include "/etc/bind/named.conf.external-custom-zones";
 
-// Include zonetool-maintained zones.
-  include "/etc/bind/named.conf.zones";
+  // Include zonetool-maintained zones (in-view references).
+  include "/etc/bind/named.conf.zones.in-view";
 };
diff --git a/float/roles/float-infra-dns/templates/bind/named.conf.options b/float/roles/float-infra-dns/templates/bind/named.conf.options
index b0ace7b0..aeae164e 100644
--- a/float/roles/float-infra-dns/templates/bind/named.conf.options
+++ b/float/roles/float-infra-dns/templates/bind/named.conf.options
@@ -30,6 +30,9 @@ options {
 
   dnssec-validation auto;
 
+  // For re-signing with dynamic updates.
+  key-directory "/etc/credentials/dnssec";
+
   notify no;
   rrset-order { order random; };
 
diff --git a/float/roles/float-infra-dns/templates/update-dns b/float/roles/float-infra-dns/templates/update-dns
index aba76507..0d378a74 100755
--- a/float/roles/float-infra-dns/templates/update-dns
+++ b/float/roles/float-infra-dns/templates/update-dns
@@ -3,7 +3,11 @@
 # Wrapper for zonetool, with the right options.
 #
 
-exec /usr/bin/zonetool \
+set -e
+
+rndc freeze
+
+/usr/bin/zonetool \
      --config /etc/dns/zonetool.yml \
      --named-conf /etc/bind/named.conf.zones \
      --output-dir /etc/bind/zones --delete \
@@ -11,4 +15,12 @@ exec /usr/bin/zonetool \
      --ds-dir /etc/bind/dnssec-ds \
      --nsec3-salt {{ dnssec_nsec3_salt }} \
      --dnssec-refresh \
+     --update-policy 'grant acme zonesub TXT' \
      /etc/dns/manual /etc/dns/auto
+
+sed -n -f /etc/bind/in-view.sed \
+     /etc/bind/named.conf.zones \
+     > /etc/bind/named.conf.zones.in-view
+
+rndc thaw
+
diff --git a/float/roles/float-infra-log-collector/templates/elasticsearch/log4j2.properties b/float/roles/float-infra-log-collector/templates/elasticsearch/log4j2.properties
index 6dd5029f..d2aa7b05 100644
--- a/float/roles/float-infra-log-collector/templates/elasticsearch/log4j2.properties
+++ b/float/roles/float-infra-log-collector/templates/elasticsearch/log4j2.properties
@@ -7,6 +7,9 @@ status = error
 logger.action.name = org.elasticsearch.action
 logger.action.level = debug
 
+logger.deprecation.name = org.elasticsearch.deprecation
+logger.deprecation.level = error
+
 appender.rolling.type = RollingFile
 appender.rolling.name = rolling
 appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log
diff --git a/float/roles/float-infra-prometheus/templates/rules/rules_ssl_probes.conf.yml b/float/roles/float-infra-prometheus/templates/rules/rules_ssl_probes.conf.yml
index 60015730..9aa4a902 100644
--- a/float/roles/float-infra-prometheus/templates/rules/rules_ssl_probes.conf.yml
+++ b/float/roles/float-infra-prometheus/templates/rules/rules_ssl_probes.conf.yml
@@ -2,7 +2,7 @@ groups:
   - name: roles/float-infra-prometheus/templates/rules/rules_ssl_probes.conf
     rules:
       - record: target:probe_ssl_cert_expiry:days
-        expr: ((min(probe_ssl_earliest_cert_expiry) by (probe,host)) - time()) / 86400
+        expr: ((min(probe_ssl_earliest_cert_expiry) by (float_job,probe,host)) - time()) / 86400
 
       - record: service_credentials_expiration_time:days
         expr: ((min(service_credentials_expiration_time) by (name,float_service)) - time()) / 86400
diff --git a/float/roles/float-util-credentials/tasks/main.yml b/float/roles/float-util-credentials/tasks/main.yml
index b7cf1fe8..da744087 100644
--- a/float/roles/float-util-credentials/tasks/main.yml
+++ b/float/roles/float-util-credentials/tasks/main.yml
@@ -76,7 +76,7 @@
         params: "{{ item.0.x509_params|default({}) }}"
         private_key_path: "/etc/credentials/{{ item.0.credentials.ca_tag | default(default_ca_tag) }}/{{ item.0.credentials.name }}/{{ item.0.mode }}/private_key.pem"
         check: false
-      when: "item.1.changed"
+      when: "item.1.changed or (force_renew_credentials | default(False))"
       loop: "{{ credentials | zip(x509_should_update.results) | list }}"
       register: x509_csr
 
-- 
GitLab