[09:46:38]
<Michele Agostinelli> I'm looking to a solution for limit bot access, I receive too many request to gitea instance hosted with yunohost. There are any app/conf on yunohost to activate per ip limit?
[10:00:34]
<err404> Michele Agostinelli: from bots? or from people?
[10:05:47]
<homelab-fr> https://aria.im/_bifrost/v1/media/download/AVUFX7dmYtqhvfc0xU3DhI6d0P3yszu4iuxAnWhsyHIDoGdlQ8WX4YqbloGUiKYcgzijQPCPHl37Wf1ghShLXkdCeaye0PWQAG1hdHJpeC5vcmcvY0J2QWFhZXhWQm1ZaHRxU2tJSkZ6ekxr
[10:05:48]
<homelab-fr> bonjour à tous ! petite question si je n'utilise pas de nom en .local est-ce que j'ai besoin de laisser ces ports ouverts svp ? Je ne sais pas trop à quoi ils servent. Merci d'avance
[10:09:16]
<westbam> Salut
[10:09:45]
<westbam> j'ai une question concernant l'authentification sous yunohost
[10:10:18]
<westbam> c'est possible d'activer une MFA ??
[11:00:19]
<Michele Agostinelli> > Michele Agostinelli: from bots? or from people?
Bots
[11:01:33]
<Salamandar> Pas encore, mais il y a des trucs sur le feu
[11:04:50]
<err404> Michele Agostinelli: they tri to reach forbiden files or inexistent files? (error 400 or 404 usualy)
[11:06:50]
<westbam> Salamandar ok cool, si t'as des liens pour suivre le sujet, je suis preneur. ce que j'avais trouvé date un peu on va dire
[11:08:03]
<Chatpitaine Caverne> C'est prévu avec Trixie (Debian 13) ?
Je cherchais pour répondre à westbam car il me semblait avoir lu ça quelque part sur le site Yunohost, mais je ne retrouve plus.
[11:09:03]
<err404> Michele Agostinelli: if yes, you can edit filter in fail2ban, like this: https://err404.numericore.com/en/Misc/fail2ban/
I used this on my yunohost
[11:15:39]
<Chatpitaine Caverne> Ah, je crois que c'est dans la feuille de route (https://yunohost.org/roadmap.fr.html) que j'ai vu pour Yunohost 13.1 : "Replace SSOwat by Authelia (?)" et aussi dans le someday : "2FA in webadmin".
[11:19:23]
<Michele Agostinelli> > Michele Agostinelli: if yes, you can edit filter in fail2ban, like this: https://err404.numericore.com/en/Misc/fail2ban/
> I used this on my yunohost
Not in this case. The bot are like crawler, so they get existing page (200)
[11:19:53]
<FbIN> Use anubis, or just ban via a ipfilter list under fail2ban
[11:20:49]
<FbIN> bots being banned via hosts/ipfilter: https://git.flossboxin.org.in/vdbhb59/hosts/raw/branch/main/bots.txt
[11:23:55]
<FbIN> BTW, not fully relevant, but the YNH apps has: fail2ban-web
[12:08:29]
<Salamandar> Non pas avec Trixie, en tout cas pas la première release
[12:08:35]
<Salamandar> Oui, l'idée est Authelia :)
[12:08:45]
<Salamandar> Je crois que c'est Josue qui bosse dessus, je ne sais pas où il en est
[12:08:56]
<Salamandar> (j'ai fait un peu de la résistance pour qu'on ne réinvente pas la roue ^^)
[12:31:31]
<captainhonora> Ce dernier step en particulier est en cours depuis plusieurs heures
[12:58:39]
<captainhonora> Bonjour, quelle sont les causes possibles de systemd-update-utmp-ruse prenant tres longtemps?
Reached target graphical.target - Graphical Interface.
Starting systend-update-utmp-rustOm - Record Runlevel Change in UTMP...
Finished
systemd-update-utmp-ruse - Record Runlevel Change in UTMP.
[12:58:46]
<err404> captainhonora: en rechargeant la page ça donne quoi? (il arrive que ça soit seulement l'affichage qui ne soit pas à jour)
[12:59:26]
<captainhonora> c'est directement en CLI je regarde l'ecran de la machine physiquement dans la piece
[13:00:21]
<err404> ah pardon
[14:09:52]
<dragon> https://aria.im/_bifrost/v1/media/download/AV47ASHGNpZcDLoITfpVHN4laTQl9MnoOK7SX-FK_JzefMWA20N9C8wZwui4-78XRBKiWBTYf6bG9w7dHLk1YjhCeaysyHQQAG1hdHJpeC5vcmcvWGJobmxGRkxuWkNGdEtIcHFuaVF2cHhG
[14:09:52]
<dragon> https://aria.im/_bifrost/v1/media/download/AYBIJzQ00qUZcDgWz1ufVmgOijCLdW053p_bLg-KYddz9nLWmPT-gUWi5Tjg_qy7lWED6AtPFgzDfmOXoLuPagxCeaysyE0AAG1hdHJpeC5vcmcvT0llRUJERE1jVkVkU1ZpV3pBcnB3VWtT
[14:10:48]
<dragon> Hello everyone, I am here to ask about two issues I have been unable to solve on my own.
Ports:
I installed an app called Screego, I decided to uninstall it, but I noticed that the ports still exist within the firewall. For organization and security purposes I tried disabling it using the Yunohost Panel, when I reload, it turns itself on again.
Then I tried to do what was discussed in this Github Issue: https://github.com/YunoHost/issues/issues/2180 using the command `yunohost firewall disallow`, I rebooted the server, now I have two copies of the same port for Screego, one is off and the other is on...I can't disable the new one that was created after the reboot, but I can disable and enable the previous one for whatever reason.
Nftables:
I noticed that whenever nftables are regenerated, there seems to be a bug of some kind. It still says the task was successful despite the error:
Could not run script: /usr/share/yunohost/hooks/conf_regen/40-nftables
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/yunohost/hook.py", line 302, in hook_callback
hook_return = hook_exec(
^^^^^^^^^^
File "/usr/lib/python3/dist-packages/yunohost/hook.py", line 428, in hook_exec
raise YunohostError("hook_exec_failed", path=path)
yunohost.utils.error.YunohostError: Could not run script: /usr/share/yunohost/hooks/conf_regen/40-nftables
The full log https://paste.yunohost.org/raw/wuxeyilabo
I tried to do `systemctl restart nftables` and it fails. Then `systemctl status nftables.service` and see this:
× nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; preset: enabled)
Drop-In: /etc/systemd/system/nftables.service.d
└─yunohost-nftables-hooks.conf
Active: failed (Result: exit-code) since Thu 2025-11-27 23:00:28 JST; 2min 37s ago
Docs: man:nft(8)
http://wiki.nftables.org
Process: 2836 ExecStartPre=/usr/share/yunohost/yunohost-nftables-hooks pre (code=exited, status=0/SUCCESS)
Process: 2838 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
Main PID: 2838 (code=exited, status=1/FAILURE)
CPU: 23ms
It doesn't seem like this is causing any noticeable issue in the server's function as of now but it is still something odd I hope I can fix.
I hope that isn't too much to ask, please take your time answering. I am always here to provide more details.
[14:30:34]
<Chatpitaine Caverne> dragon: I'm not an expert but I'd look into :
`sudo cat /etc/nftables.conf`
and more into : `sudo cat /etc/nftables.d/yunohost-firewall.conf`
[14:49:23]
<dragon> Should I give you the output of these commands?
[14:51:45]
<Chatpitaine Caverne> It look a bit esotheric to me. Maybe to you also.
You can share if you want help to decrypt it, but you have to know that it can be sensitive security data, well not so much, but still.
[14:54:21]
<dragon> yes, i am not so sure if i feel comfortable sharing that information.
i am unsure of how to proceed with these commands, is there any place where i can view the default configuration so i know what it is supposed to look like? so i can compare and contrast my current configuration to find the potential error.
thank you for your help 👍️
[14:54:37]
<dragon> yes, i am not so sure if i feel comfortable sharing that information.
i am unsure of how to proceed with these commands, is there any place where i can view the default configuration so i know what it is supposed to look like? so i can compare and contrast my current configuration with the standard to find the potential error.
thank you for your help 👍️
[14:56:41]
<Chatpitaine Caverne> Maybe you can try : `sudo yunohost tools regen-conf nftables --dry-run --with-diff`
But it seems it already failed if I read well the previous logs.
[15:01:39]
<dragon> I tried to do the command but I did not receive anything back when I sent it. Yes, it probably most likely failed before.
[15:01:46]
<FbIN> I am guessing these may give some idea:
https://github.com/YunoHost/yunohost/blob/dev/hooks/conf_regen/40-nftables
https://github.com/YunoHost/yunohost/blob/dev/conf/nftables/nftables.d/yunohost-firewall.tpl.conf
https://github.com/YunoHost/yunohost/blob/966dd6e827f5a6101d18a6cf8690a82f8cb64158/hooks/conf_regen/52-fail2ban#L42
I maybe wrong as well
[15:02:11]
<bbohard> I just noticed 40-nftables is the only script with execution bit unset in yunohost repository. Is 40-nftables executable in /usr/share/yunohost/hooks/conf\_regen/ ? (just to be sure the "Could not run script" error is not just some permission issue, do not know if this is related)
[15:04:55]
<bbohard> on the server, /etc/yunohost/firewall.yml may also contain some important information too (guessing while reading 40-nftables).
[15:06:46]
<Chatpitaine Caverne> If it is as stupid as that then : `sudo chmod +x /usr/share/yunohost/hooks/conf_regen/40-nftables` would help.
[15:22:56]
<dragon> When I did this, I got `./40-nftables: line 68: do__regen: command not found`
[15:23:02]
<bbohard> hook is launched with `sh` so it should not matter if it is executable after all
[15:31:45]
<bbohard> when executed in the right context, do_$1_regen is expanded to do_pre_regen or do_post_regen
[15:39:18]
<dragon> I am not really familiar with these commands (I know the basics of command line), I don't understand what you exactly mean or what I should do next to fix the issue.
[15:40:01]
<dragon> I am not really familiar with these commands (I know the basics of command line and I only began to use Yunohost recently- so I am very much a beginner at everything), I don't understand what you exactly mean or what I should do next to fix the issue.
[15:43:05]
<dragon> Hello everyone, I am here to ask about two issues I have been unable to solve on my own.
Note: I am a beginner and not an advanced user.
Ports:
I installed an app called Screego, I decided to uninstall it, but I noticed that the ports still exist within the firewall. For organization and security purposes I tried disabling it using the Yunohost Panel, when I reload, it turns itself on again.
Then I tried to do what was discussed in this Github Issue: https://github.com/YunoHost/issues/issues/2180 using the command `yunohost firewall disallow`, I rebooted the server, now I have two copies of the same port for Screego, one is off and the other is on...I can't disable the new one that was created after the reboot, but I can disable and enable the previous one for whatever reason.
Nftables:
I noticed that whenever nftables are regenerated, there seems to be a bug of some kind. It still says the task was successful despite the error:
Could not run script: /usr/share/yunohost/hooks/conf_regen/40-nftables
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/yunohost/hook.py", line 302, in hook_callback
hook_return = hook_exec(
^^^^^^^^^^
File "/usr/lib/python3/dist-packages/yunohost/hook.py", line 428, in hook_exec
raise YunohostError("hook_exec_failed", path=path)
yunohost.utils.error.YunohostError: Could not run script: /usr/share/yunohost/hooks/conf_regen/40-nftables
The full log https://paste.yunohost.org/raw/wuxeyilabo
I tried to do `systemctl restart nftables` and it fails. Then `systemctl status nftables.service` and see this:
× nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; preset: enabled)
Drop-In: /etc/systemd/system/nftables.service.d
└─yunohost-nftables-hooks.conf
Active: failed (Result: exit-code) since Thu 2025-11-27 23:00:28 JST; 2min 37s ago
Docs: man:nft(8)
http://wiki.nftables.org
Process: 2836 ExecStartPre=/usr/share/yunohost/yunohost-nftables-hooks pre (code=exited, status=0/SUCCESS)
Process: 2838 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
Main PID: 2838 (code=exited, status=1/FAILURE)
CPU: 23ms
It doesn't seem like this is causing any noticeable issue in the server's function as of now but it is still something odd I hope I can fix.
I hope that isn't too much to ask, please take your time answering. I am always here to provide more details.
[15:52:11]
<bbohard> I am discovering much of it right now too. My first hypothesis was maybe missing executable bit on 40-nftables could be responsible for one of the error you mentionned earlier but it should not (executable bit is not needed here).
[15:53:52]
<bbohard> I do not know if hooks (such as 40-nftables) should be executed on their own. `command not found` is due to the script waiting for parameter (with value `pre` or `post`).
[15:54:32]
<bbohard> This parameter is given to the hook when launched through cli yunohost
[15:55:57]
<Chatpitaine Caverne> dragon: Did you have a look into /etc/yunohost/firewall.yml as suggested by bbohard earlier ? Cause maybe if you have two entrace for the same port (as you said before) then the program didn't handle such case.
[16:21:22]
<dragon> i was meaning to do that next. it is quite late for me here, so i will get back to you both on that tomorrow. thank you for your help so far. 👍️
[20:57:06]
<Joanna> Hello everyone :) Excuse me, is it possible to disable automatic mailing from diagnosis issue ? Or to filter a few ones ? I have disabled yunohost-api service and i am receiving daily alert about the status of the service
i'm beginner, but i feel comfortable using the commandline to change settings
[20:59:07]
<Aleks (he/him/il/lui)> ideally the recommendation is either fix the issues reported or flag them as to-be-ignored if they are not relevant for some reason
[20:59:46]
<Aleks (he/him/il/lui)> but if you absolutely don't want the diagnosis to run or you want to disable the email you can tweak the cron job file in uuuuuuuh /etc/cron.d/yunohost-diagnosis, not sure about the exact name / path
[21:00:25]
<Aleks (he/him/il/lui)> yeah that's the right path
[21:00:34]
<Aleks (he/him/il/lui)> possibly you can also just remove the `--email` arg
[21:01:26]
<Aleks (he/him/il/lui)> but would definitely encourage to just ignore the issues that are not relevant with `yunohost diagnosis ignore` though uuuuugh it's not 100% straightfoward to use
[21:03:58]
<Chatpitaine Caverne> https://aria.im/_bifrost/v1/media/download/AaUx3khpA3DrGLUToHoN4LZabOt-LtGQwq1B8HGZw_WsJxYbbIAEXvRt4y9QdCWJy3j28mfrqY_8JEBgCH3i7apCeazEd6LgAGNpcmthdS5hcnQvYkxVdFF5dW5Za0tvWUhFcW9reWlQVUFy
[21:04:23]
<Chatpitaine Caverne> In the page diagnosis, you can click Ignore button in front of the anomaly you don't want to be aware again.
[21:07:02]
<Chatpitaine Caverne> But as said Aleks, keep the automatic diagnostic, it can save you many troubles.
[21:13:25]
<Aleks (he/him/il/lui)> (yeah but the point is that this person disabled the API / webadmin)
[21:14:24]
<Chatpitaine Caverne> Huuuh. Sorry didn't know