Quack,
Let's begin with the bad news.
=== Credentials and potential LDAP info leak ===
Our MediaWiki instances configuration, as all the rules of our infra are opensource. Unfortunately certain secrets were not protected as they should have been:
* database credentials: MariaDB is not available from the outside, so it's not a big deal
* contact emails: we try to hide all emails to avoid SPAM; webmaster, HappyPeng and myself are affected
* wiki secret key: used to generate entropy when a proper source is not available, which is not our case
* LDAP service account: this is a nasty part as most user information might be accessed; we do not keep more than needed to run the service but realnames and email addresses could have been listed; all credentials are safe and no modification is possible though
We did not find any suspicious activities in the logs, but that's difficult to assess.
So obviously before sending this email we remedied the situation. We also plan to limit how this account can be used even more.
Deeply sorry for this mistake :-/.
=== Progress on the new hardware ===
Nicecity's hardware gave some difficulties and a new disk was needed. It is now almost fully deployed with Ansible, so we should soon be able to use it in production.
Toushirou-NG's deployment is done and we're regularly syncing it. We're keeping it up-to-date with current production and are preparing the migration steps.
=== StuffCloud login Security ===
Two factor authentication (2FA) using TOTP and U2F has been activated and tested for some time now. We did not have any problem with both method, so we strongly suggest you try it.
The documentation has been updated to give more information on how to set this up: https://users.duckcorp.org/index.php/Services/StuffCloud
=== Wiki Migration ===
The shared wiki (wiki.duckcorp.org), running on MoinMoin, is going to migrate soon to MediaWiki in order to avoid having to maintain two systems.
=== Mail and Sync User ===
Some users prefer to sync emails on their machine, which can be handy if you travel, wish to access them offline and later have all your modifications propagated. It can also be useful as a backup mechanism.
On problem with most tools is their inability to "move" mails (instead of "copy"), which prevent then to use the 'Junk' folder
A simple solution is now available, described here: https://users.duckcorp.org/index.php/Services/Mail#Retraining_for_feature-li...
=== Web and PHP ===
We were already investigating using PHP FPM instead of the embedded Apache mod_php. This is more secure and flexible as you can run the wanted number of workers using a dedicated UNIX user, thus avoiding one instance to read files from the others.
It happens that we activated HTTP2 in the past and some related fix unfortunately required to change the Apache MPM, which is not possible with mod_php, or to abandon HTTP2, so this changed priorities a bit.
The full migration has just been done for all PHP-enabled vhosts, so tell us if you encounter any problem.
Hope you enjoyed the Hanami! \_o<
Quack,
=== Hardware Migration ===
Toushirou will be migrated on 2019-05-04. The replacement should start around 09:00 CET.
Earlier in the morning SSH user logins will be denied and all user session stopped, so please stop any script or connection you may have the day before to be sure.
When the dispatched team is ready to make the switch, all services will be shutdown and a final synchronization of all data will be done. It may take some time to change the harware and check network and remote access. We'll check all services shortly after that. Exact timing and notifications will be given on IRC on #MilkyPond. You're also welcome to follow technical discussions on #DuckCorp.
=== Wiki Migration ===
The wiki has successfully been migrated.
_o<
-
DuckCorp Admin Team