git subrepo pull (merge) float

subrepo:
  subdir:   "float"
  merged:   "89039534"
upstream:
  origin:   "https://git.autistici.org/ai3/float.git"
  branch:   "master"
  commit:   "89039534"
git-subrepo:
  version:  "0.4.7"
  origin:   "https://github.com/ingydotnet/git-subrepo"
  commit:   "c9ec2a6"

float/.gitrepo

@@ -6,7 +6,7 @@
 [subrepo]
 	remote = https://git.autistici.org/ai3/float.git
 	branch = master
-	commit = b02a3496b03886b59f9b1fd6c197d06c4a9ce66d
-	parent = c6d787af527667d24631d61f7b3050d25cce8139
-	cmdver = 0.4.6
+	commit = 89039534fb72c317de51d7a5c2f8e6815d61b982
+	parent = 155d2691324dc97829db4e0a5f77b512bb8c0647
+	cmdver = 0.4.7
 	method = merge

float/float

@@ -364,14 +364,13 @@ def command_create_env(path, services, passwords, playbooks,
     # Catch ValueError to handle parsing errors for composite-valued
     # options and print a friendly message.
     try:
-        all_vars['inventory']['hosts'] = _random_hosts(
-            num_hosts,
-            _parse_additional_host_groups(additional_host_groups),
-        )
+        extra_memberships = _parse_additional_host_groups(additional_host_groups)
     except ValueError:
         print('Unable to parse additional-host-group spec', file=sys.stderr)
         return 1
 
+    all_vars['inventory']['hosts'] = _random_hosts(num_hosts, extra_memberships)
+
     all_vars['ram'] = ram
     all_vars['config']['domain_public'] = [domain]
     all_vars['config']['domain'] = (

float/roles/float-base-datasets/templates/litestream-restore-script.j2

@@ -6,7 +6,7 @@
 set -a
 . /etc/litestream/{{ dataset_tag }}.env
 
-/usr/bin/litestream restore --config=/etc/litestream/{{ dataset_tag }}.yml --if-replica-exists -v "{{ dataset_path }}/{{ dataset_filename }}"
+/usr/bin/litestream restore --config=/etc/litestream/{{ dataset_tag }}.yml --if-replica-exists "{{ dataset_path }}/{{ dataset_filename }}"
 
 if [ $? -gt 0 ]; then
     echo "ERROR: restore failed!" >&2

float/roles/float-base/files/modprobe-hardening.conf

-# Disable automatic conntrack helper assignment.
-options nf_conntrack nf_conntrack_helper=0
-
 # Obscure network protocols with a bad security track record.
 install dccp /bin/false
 install sctp /bin/false

float/roles/float-base/tasks/debian_misc.yml

@@ -38,6 +38,11 @@
     dest: "/etc/sysctl.conf"
   notify: reload sysctl
 
+- name: Configure kernel modules
+  template:
+    src: "modules.conf.j2"
+    dest: "/etc/modules-load.d/float-base.conf"
+
 - name: Configure systemd
   copy:
     src: "system.conf"

float/roles/float-base/templates/modules.conf.j2

+# Make nf_conntrack sysctl available
+nf_conntrack

float/roles/float-infra-acme/templates/config.yml.j2

@@ -10,9 +10,9 @@ http:
   enabled: true
 dns:
   enabled: true
-  tsig_key_name: "acme"
-  tsig_key_algo: "{{ acme_tsig_key.algo }}"
-  tsig_key_secret: "{{ acme_tsig_key.private }}"
+  tsig_key_name: "acme."
+  tsig_key_algo: "{{ acme_tsig_key.algo | lower }}."
+  tsig_key_secret: "{{ acme_tsig_key.public }}"
   nameservers:
 {% for h in services['dns'].hosts | sort %}
     - {{ h }}.dns.{{ domain }}

float/roles/float-infra-dns/files/in-view.sed

+# Script to convert each zone in a view to a series of in-view declarations
+1i\
+// Automatically generated, do not edit.
+/^zone/{
+a\
+	in-view "internal-in";\
+};
+p
+}
+

float/roles/float-infra-dns/tasks/main.yml

@@ -29,6 +29,11 @@
   notify: reload bind
   register: dns_config
 
+- name: Install in-view.sed script
+  copy:
+    src: "in-view.sed"
+    dest: "/etc/bind/in-view.sed"
+
 - name: Create bind9 zone dirs
   file:
     path: "/etc/bind/zones"
@@ -60,6 +65,7 @@
   changed_when: false
   with_items:
     - named.conf.zones
+    - named.conf.zones.in-view
     - named.conf.internal-custom-zones
     - named.conf.external-custom-zones
 
@@ -103,13 +109,17 @@
   file:
     path: "/etc/credentials/dnssec"
     state: directory
-    mode: 0700
+    owner: root
+    group: bind
+    mode: 0750
 
 - name: Install DNSSEC keys
   copy:
     src: "{{ item }}"
     dest: "/etc/credentials/dnssec/{{ item | basename }}"
-    mode: 0600
+    owner: root
+    group: bind
+    mode: 0640
   with_fileglob:
     - "{{ credentials_dir }}/dnssec/K*.private"
     - "{{ credentials_dir }}/dnssec/K*.key"

float/roles/float-infra-dns/templates/bind/named.conf.local

@@ -32,6 +32,6 @@ view "external-in" in {
   // Include manually-maintained zones.
   include "/etc/bind/named.conf.external-custom-zones";
 
-// Include zonetool-maintained zones.
-  include "/etc/bind/named.conf.zones";
+  // Include zonetool-maintained zones (in-view references).
+  include "/etc/bind/named.conf.zones.in-view";
 };

float/roles/float-infra-dns/templates/bind/named.conf.options

@@ -30,6 +30,9 @@ options {
 
   dnssec-validation auto;
 
+  // For re-signing with dynamic updates.
+  key-directory "/etc/credentials/dnssec";
+
   notify no;
   rrset-order { order random; };
 

float/roles/float-infra-dns/templates/update-dns

@@ -3,7 +3,11 @@
 # Wrapper for zonetool, with the right options.
 #
 
-exec /usr/bin/zonetool \
+set -e
+
+rndc freeze
+
+/usr/bin/zonetool \
      --config /etc/dns/zonetool.yml \
      --named-conf /etc/bind/named.conf.zones \
      --output-dir /etc/bind/zones --delete \
@@ -11,4 +15,12 @@ exec /usr/bin/zonetool \
      --ds-dir /etc/bind/dnssec-ds \
      --nsec3-salt {{ dnssec_nsec3_salt }} \
      --dnssec-refresh \
+     --update-policy 'grant acme zonesub TXT' \
      /etc/dns/manual /etc/dns/auto
+
+sed -n -f /etc/bind/in-view.sed \
+     /etc/bind/named.conf.zones \
+     > /etc/bind/named.conf.zones.in-view
+
+rndc thaw
+

float/roles/float-infra-log-collector/templates/elasticsearch/log4j2.properties

@@ -7,6 +7,9 @@ status = error
 logger.action.name = org.elasticsearch.action
 logger.action.level = debug
 
+logger.deprecation.name = org.elasticsearch.deprecation
+logger.deprecation.level = error
+
 appender.rolling.type = RollingFile
 appender.rolling.name = rolling
 appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log

float/roles/float-infra-prometheus/templates/rules/rules_ssl_probes.conf.yml

@@ -2,7 +2,7 @@ groups:
   - name: roles/float-infra-prometheus/templates/rules/rules_ssl_probes.conf
     rules:
       - record: target:probe_ssl_cert_expiry:days
-        expr: ((min(probe_ssl_earliest_cert_expiry) by (probe,host)) - time()) / 86400
+        expr: ((min(probe_ssl_earliest_cert_expiry) by (float_job,probe,host)) - time()) / 86400
 
       - record: service_credentials_expiration_time:days
         expr: ((min(service_credentials_expiration_time) by (name,float_service)) - time()) / 86400

float/roles/float-util-credentials/tasks/main.yml

@@ -76,7 +76,7 @@
         params: "{{ item.0.x509_params|default({}) }}"
         private_key_path: "/etc/credentials/{{ item.0.credentials.ca_tag | default(default_ca_tag) }}/{{ item.0.credentials.name }}/{{ item.0.mode }}/private_key.pem"
         check: false
-      when: "item.1.changed"
+      when: "item.1.changed or (force_renew_credentials | default(False))"
       loop: "{{ credentials | zip(x509_should_update.results) | list }}"
       register: x509_csr