Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2021-09-23T21:15:58Zhttps://gitlab.com/sympl.io/sympl/-/issues/317sympl-mail: /srv/example.com/mailboxes is required to accept mail2021-09-23T21:15:58ZPaul Cammishsympl-mail: /srv/example.com/mailboxes is required to accept mailDue to the changes in Exim in Debian 11, the config now expects the /srv/example.com/mailboxes directory to exist for incoming mail, and fails if it doesn't (ie: theres aliases or default forward, etc).
Reported in https://forum.sympl.h...Due to the changes in Exim in Debian 11, the config now expects the /srv/example.com/mailboxes directory to exist for incoming mail, and fails if it doesn't (ie: theres aliases or default forward, etc).
Reported in https://forum.sympl.host/t/mail-aliases-in-config-aliases/234Paul CammishPaul Cammish2021-09-24https://gitlab.com/sympl.io/sympl/-/issues/309sympl11 - Re-enable stable CI2021-08-13T16:08:34ZPaul Cammishsympl11 - Re-enable stable CINo stable branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the stable branch has been publicly built.No stable branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the stable branch has been publicly built.Sympl 11 for Debian BullseyePaul CammishPaul Cammish2021-06-01https://gitlab.com/sympl.io/sympl/-/issues/281sympl-mail: filesystem loop in /srv causes errors with sympl-mail-dovecot-sni2020-04-20T10:41:32ZPaul Cammishsympl-mail: filesystem loop in /srv causes errors with sympl-mail-dovecot-sniObviously it should do this, and it looks like the search for certificates is looking far too wide, searching all of /srv rather than just /srv/*/config/ssl/current/Obviously it should do this, and it looks like the search for certificates is looking far too wide, searching all of /srv rather than just /srv/*/config/ssl/current/Paul CammishPaul Cammish2020-04-20https://gitlab.com/sympl.io/sympl/-/issues/280sympl-core: sympl-filesystem-security breaks access to config/stats-htaccess2020-04-20T10:41:34ZPaul Cammishsympl-core: sympl-filesystem-security breaks access to config/stats-htaccessReported by a user, the `config/stats-htaccess` file has it's permissions reset by `sympl-filesystem-security` to a configuration which prevents access by www-data, and therefore Apache denied all access to example.com/statsReported by a user, the `config/stats-htaccess` file has it's permissions reset by `sympl-filesystem-security` to a configuration which prevents access by www-data, and therefore Apache denied all access to example.com/statsPaul CammishPaul Cammish2020-04-20https://gitlab.com/sympl.io/sympl/-/issues/201`sympl-ssl` does not support Let's Encrypt v2 API2019-10-30T09:16:52ZPaul Cammish`sympl-ssl` does not support Let's Encrypt v2 APIAt present, as it's using an old Ruby library, `symbiosis-ssl` does not support the updated version of the Let's Encrypt API, meaning that as per [this notice](https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430), it wi...At present, as it's using an old Ruby library, `symbiosis-ssl` does not support the updated version of the Let's Encrypt API, meaning that as per [this notice](https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430), it will begin to stop working in November of 2019 for new installs, and through the next year, slowly stop working.
With this in mind, it would make sense to refactor this element of Sympl into a wrapper around existing Let's Encrypt tools, such as certbot or acmetool, rather than using a third party library, retaining the existing generation of self-signed certs and general cert management.Paul CammishPaul Cammish2019-10-31https://gitlab.com/sympl.io/sympl/-/issues/19New runner configuration is needed2019-04-11T21:59:48ZPaul CammishNew runner configuration is neededAt present it's all running inside docker - this is okay for simple jobs but not for testing, as its not the same as a real dedi or VM.
gitlab-runner supports VirtualBox VMs used for this purpose, so I will need to set this up.At present it's all running inside docker - this is okay for simple jobs but not for testing, as its not the same as a real dedi or VM.
gitlab-runner supports VirtualBox VMs used for this purpose, so I will need to set this up.Testing SuitePaul CammishPaul Cammish2019-04-12https://gitlab.com/sympl.io/sympl/-/issues/350sympl-filesystem-security: Play nicer with composer-based setups2024-03-22T16:34:14ZPaul Cammishsympl-filesystem-security: Play nicer with composer-based setupsComposer tends to put things in public/vendor, which it expects to be executable (copmoser itself, drush, etc), and currently `sympl-filesystem-security` resets these permissions.
A simple fix is to just exclude the contents of public/v...Composer tends to put things in public/vendor, which it expects to be executable (copmoser itself, drush, etc), and currently `sympl-filesystem-security` resets these permissions.
A simple fix is to just exclude the contents of public/vendor when we also exclude public/cgi-binPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/349sympl12 - sympl-php-configure - open_basedir inherits other variables when no...2024-03-15T14:32:24ZPaul Cammishsympl12 - sympl-php-configure - open_basedir inherits other variables when not setWhen `open_basedir` isn't set in an FPM (ie: `disable-php-security` is enabled), it inherits the last setting it had for another site which doe have it set, which will likely break the site.
A workaround for this is to either use a sepa...When `open_basedir` isn't set in an FPM (ie: `disable-php-security` is enabled), it inherits the last setting it had for another site which doe have it set, which will likely break the site.
A workaround for this is to either use a separate pool, or edit the apache config and manually set `open_basedir` to `/`.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/348Automatic install script fails when /etc/apt/sources-list.d is empty2024-02-23T09:57:59ZpcollinsonAutomatic install script fails when /etc/apt/sources-list.d is empty# Summary
When using the install.sh script on a completely vanilla Debian Bookworm system, where /etc/apt/source.list.d is empty, the script fails saying:
```sed: can't read /etc/apt/sources.list.d/*: No such file or directory```
# Ste...# Summary
When using the install.sh script on a completely vanilla Debian Bookworm system, where /etc/apt/source.list.d is empty, the script fails saying:
```sed: can't read /etc/apt/sources.list.d/*: No such file or directory```
# Steps to reproduce
Run install.sh on a system with an empty /etc/apt/sources.list.d
# What is the current bug behavior?
The relevant code starts at line 146 in install.sh, the code is
```
if [ "$(find /etc/apt/sources.list.d/ -mindepth 1 -maxdepth 1 -type f -name 'sympl_*.list' | wc -l )" != "0" ] \
|| [ "$( grep -c '^deb http://packages.mythic-beasts.com/mythic/' /etc/apt/sources.list.d/* )" != "0" ]; then
echo -n "Removing previous Sympl repo..."
find /etc/apt/sources.list.d/ -mindepth 1 -maxdepth 1 -type f -name 'sympl_*.list' -delete
sed -i 's|^deb http://packages.mythic-beasts.com/mythic/.*|#&|' /etc/apt/sources.list.d/*
echo " OK"
fi
```
placing this code in a file and running it with bash -x says:
```
~# bash -x ax
++ find /etc/apt/sources.list.d/ -mindepth 1 -maxdepth 1 -type f -name 'sympl_*.list'
++ wc -l
+ '[' 0 '!=' 0 ']'
++ grep -c '^deb http://packages.mythic-beasts.com/mythic/' '/etc/apt/sources.list.d/*'
grep: /etc/apt/sources.list.d/*: No such file or directory
+ '[' '' '!=' 0 ']'
+ echo -n 'Removing previous Sympl repo...'
Removing previous Sympl repo...+ find /etc/apt/sources.list.d/ -mindepth 1 -maxdepth 1 -type f -name 'sympl_*.list' -delete
+ sed -i 's|^deb http://packages.mythic-beasts.com/mythic/.*|#&|' '/etc/apt/sources.list.d/*'
sed: can't read /etc/apt/sources.list.d/*: No such file or directory
+ echo ' OK'
OK
```
# What is the expected correct behavior?
I think this code should be skipped if the directory is empty.
# Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)
# Possible fixes
I worked around by adding touching a README file in /etc/apt/sources.list.d.
However the code may need to be
```
if [ "$(find /etc/apt/sources.list.d/ -mindepth 1 -maxdepth 1 -type f -name 'sympl_*.list' | wc -l )" != "0" ]; then
if [ "$( grep -c '^deb http://packages.mythic-beasts.com/mythic/' /etc/apt/sources.list.d/* )" != "0" ]; then
echo -n "Removing previous Sympl repo..."
find /etc/apt/sources.list.d/ -mindepth 1 -maxdepth 1 -type f -name 'sympl_*.list' -delete
sed -i 's|^deb http://packages.mythic-beasts.com/mythic/.*|#&|' /etc/apt/sou rces.list.d/*
echo " OK"
fi
fi
```
Caveat: edited but not tested.
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/347Job Failed #53144455842024-03-15T14:31:33ZPaul CammishJob Failed #5314445584Job [#5314445584](https://gitlab.com/sympl.io/sympl/-/jobs/5314445584) failed for 50b44f390188f58a2fee8eccd3d6aac41e5c62a0:
```
Enable PHP8.0-FPM... E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 111533 (unatte...Job [#5314445584](https://gitlab.com/sympl.io/sympl/-/jobs/5314445584) failed for 50b44f390188f58a2fee8eccd3d6aac41e5c62a0:
```
Enable PHP8.0-FPM... E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 111533 (unattended-upgr)
```
Need to ensure unattended-upgrades is fully disabled/stopped before running testsPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/346Job Failed #53108992702023-11-08T14:48:59ZPaul CammishJob Failed #5310899270Job [#5310899270](https://gitlab.com/sympl.io/sympl/-/jobs/5310899270) failed for 8a6de491361f8bc509ebb5bf224db975f70aad84:
```
+ symbiosis-firewall-whitelist --verbose
<internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_requir...Job [#5310899270](https://gitlab.com/sympl.io/sympl/-/jobs/5310899270) failed for 8a6de491361f8bc509ebb5bf224db975f70aad84:
```
+ symbiosis-firewall-whitelist --verbose
<internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_require.rb>:85:in `require': cannot load such file -- symbiosis_utmp (LoadError)
```
Need to make sure symbiosis_utmp.so is compiled and placed in the right locationPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/345sympl-ssl fails to override ssl-only config for a site during ACME HTTP-01 ch...2023-06-14T19:10:52ZLauren Kellysympl-ssl fails to override ssl-only config for a site during ACME HTTP-01 challenge verification# Summary
sympl-ssl will fail to obtain/renew certificates for a site which has had the ssl-only config option enabled.
I understand it is meant to override this during HTTP-01 challenge verification; this doesn't seem to work.
# Ste...# Summary
sympl-ssl will fail to obtain/renew certificates for a site which has had the ssl-only config option enabled.
I understand it is meant to override this during HTTP-01 challenge verification; this doesn't seem to work.
# Steps to reproduce
1. Automatically install Sympl on Debian 10.
2. `sympl web create example.com`
3. `touch /srv/example.com/config/ssl-only`
4. `sudo sympl-web-reconfigure example.com`
5. `sudo sympl-ssl --verbose example.com`
# What is the current bug behavior?
Let's Encrypt is unable to verify the HTTP-01 challenge, as the forced HTTPS redirection is not disabled during the certificate renewal process (or at least overriden for .well-known/acme-challenge/*)
# What is the expected correct behavior?
Acme challenge verification succeeds, as http://example.com/.well-known/acme-challenge/* does not engage the HTTPS direct configured by ssl-only, during the verification process.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/343Can't deliver to local mailboxes - "Tainted arg 6 for dovecot_lda transport"2023-05-12T15:34:14ZPaul CammishCan't deliver to local mailboxes - "Tainted arg 6 for dovecot_lda transport"Exim is logging:
```
<address> R=vhost_forward_sieve T=dovecot_lda: Tainted arg 6 for dovecot_lda transport command: '<address>'
```
...for local mail.
Likely some more de-tainting will be required.Exim is logging:
```
<address> R=vhost_forward_sieve T=dovecot_lda: Tainted arg 6 for dovecot_lda transport command: '<address>'
```
...for local mail.
Likely some more de-tainting will be required.Sympl 12 (bookworm)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/342sympl-web-generate-stats doesnt always generate statistics2023-05-09T08:43:21ZPaul Cammishsympl-web-generate-stats doesnt always generate statisticsIt looks to be checking the files to see if there have been any changes, where this is not really relevant - awffull is fine being passed the same information multiple times, or empty log files.It looks to be checking the files to see if there have been any changes, where this is not really relevant - awffull is fine being passed the same information multiple times, or empty log files.Sympl 12 (bookworm)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/341Error: test_ssl_fetch_new_certificate(SSLTest): OpenSSL::X509::RequestError: ...2023-06-10T20:45:15ZPaul CammishError: test_ssl_fetch_new_certificate(SSLTest): OpenSSL::X509::RequestError: illegal zero content```
Error: test_ssl_fetch_new_certificate(SSLTest): OpenSSL::X509::RequestError: illegal zero content
/usr/lib/ruby/3.1.0/openssl/x509.rb:387:in `to_der'
/usr/lib/ruby/3.1.0/openssl/x509.rb:387:in `=='
/etc/sympl/test.d/tc_ssl.rb:745:in ...```
Error: test_ssl_fetch_new_certificate(SSLTest): OpenSSL::X509::RequestError: illegal zero content
/usr/lib/ruby/3.1.0/openssl/x509.rb:387:in `to_der'
/usr/lib/ruby/3.1.0/openssl/x509.rb:387:in `=='
/etc/sympl/test.d/tc_ssl.rb:745:in `test_ssl_fetch_new_certificate'
742: assert_equal(set.bundle, [ca_cert])
743: assert_equal(set.key, key)
744: assert_equal(set.certificate, cert)
=> 745: assert_equal(set.request, request)
746:
747: assert_equal("0", @domain.ssl_next_set_name)
748: set.name = "0"
```Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/340CI: "TMPDIR is not writable: /tmp/user/0" (Bookworm)2023-05-04T13:41:04ZPaul CammishCI: "TMPDIR is not writable: /tmp/user/0" (Bookworm)Theres quite a few warnings/errors being thrown in the CI with
```
TMPDIR is not writable: /tmp/user/0
TMP is not writable: /tmp/user/0
TEMP is not writable: /tmp/user/0
```Theres quite a few warnings/errors being thrown in the CI with
```
TMPDIR is not writable: /tmp/user/0
TMP is not writable: /tmp/user/0
TEMP is not writable: /tmp/user/0
```Sympl 12 (bookworm)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/339domain/mailbox.rb - "warning: constant Struct::Passwd is deprecated" (Bookworm)2023-05-04T13:41:21ZPaul Cammishdomain/mailbox.rb - "warning: constant Struct::Passwd is deprecated" (Bookworm)A number of ruby warnings for `Struct::Passwd` used in mails domain/mailbox.rb.A number of ruby warnings for `Struct::Passwd` used in mails domain/mailbox.rb.Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/338sympl-mail-dict-proxy - passed username incorrect? (bookworm)2023-06-10T20:43:17ZPaul Cammishsympl-mail-dict-proxy - passed username incorrect? (bookworm)Something changes with bookworm, and it now seems to dict proxy is now being sent `Lshared/passdb/<username><tab><username>` rather than the expected `Lshared/passdb/<username>`.
Trimming the tab and everything after this 'fixes' it, bu...Something changes with bookworm, and it now seems to dict proxy is now being sent `Lshared/passdb/<username><tab><username>` rather than the expected `Lshared/passdb/<username>`.
Trimming the tab and everything after this 'fixes' it, but it needs investigation as to why this happens.https://gitlab.com/sympl.io/sympl/-/issues/337Build: docker build image not based on bookworm2023-05-02T12:02:32ZPaul CammishBuild: docker build image not based on bookwormThe docker build image is currently a clone of the buster image, so is building things slightly wrong, which may account for errors in `sympl-firewall`.
This should be fixed up ASAP.The docker build image is currently a clone of the buster image, so is building things slightly wrong, which may account for errors in `sympl-firewall`.
This should be fixed up ASAP.Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/336Blocking: Selectable PHP versions2023-06-10T20:41:31ZPaul CammishBlocking: Selectable PHP versionsBookworm will ship with PHP 8.2, which is nice, but a lot of stuff (notably WordPress plugins and themes, for example) is unhappy with, so selectable PHP versions will be pretty much mandatory.
Using Sury's repo from deb.sury.org seems...Bookworm will ship with PHP 8.2, which is nice, but a lot of stuff (notably WordPress plugins and themes, for example) is unhappy with, so selectable PHP versions will be pretty much mandatory.
Using Sury's repo from deb.sury.org seems the way to go, firing up FPM instances as needed, and managing PHP dependencies/extensions/etc based on the ones installed by default, or having a configurable list in `/etc/sympl`, along with a configurable default PHP version for the server, defaulting to the debian shipped version.
This *could* be a separate package, but it would make sense to roll it into `sympl-web` and the exiting templates, and have a selectable PHP version in `config/php`, defaulting to normal base version, with the PHP user/group taken from the existing configs for the site (defaulting to www-data for now), and maybe separate pools per-domain.
Configuration for number of children will be needed, with some basic `config/php-threads` setting with the max number, with a basic minimum and sane values taken from that with divisors would make sense.
It may be moving PHP to FPM wholesale would be the way to go, leaving things like phpmyadmin and roundcube on regular PHP.Sympl 12 (bookworm)Paul CammishPaul Cammish