{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":199054760,"defaultBranch":"main","name":"server-etc","ownerLogin":"lucaswerkmeister","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2019-07-26T17:19:43.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/2346599?v=4","public":true,"private":false,"isOrgOwned":false},"refInfo":{"name":"","listCacheKey":"v0:1623701416.346672","currentOid":""},"activityList":{"items":[{"before":"27c230c1d4db919b7447d9b40a40b3291f10c486","after":"f4fd42b9985bc2f7f77e1e87d7dbb93582ea4528","ref":"refs/heads/main","pushedAt":"2024-05-08T08:59:30.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Update cpufrequtils.service\n\nRestrictAddressFamilies=none has been supported since systemd v249 [1].\n\n[1]: https://github.com/systemd/systemd/commit/4e6c50a5d4","shortMessageHtmlLink":"Update cpufrequtils.service"}},{"before":"a61ac10c588a2960ad09e4b5d122256115271194","after":"27c230c1d4db919b7447d9b40a40b3291f10c486","ref":"refs/heads/main","pushedAt":"2024-04-22T20:36:13.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Run dehydrated a little more often\n\nThe service occasionally fails (with random, transient errors), and if\nit renews certificates once they are valid for less than 30 days, and\nonly runs once a week, then just four failures in a row could mean the\ncertificate expires before it’s renewed, which feels a bit risky to me.\nLet’s run it every four days instead.","shortMessageHtmlLink":"Run dehydrated a little more often"}},{"before":"382cd936163f29c2e05e16319deb168ab47565d3","after":"a61ac10c588a2960ad09e4b5d122256115271194","ref":"refs/heads/main","pushedAt":"2024-04-10T00:30:15.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Mark even more CI-related emails as read\n\nI didn’t even notice in the previous commit that “Wikipedia” also had\nchanged to “Wikimedia Commons” (I copied the whole subject from an\nexisting email). Evidently I have CI for both Commons and Wikipedia on\nBeta, so mark both as read.","shortMessageHtmlLink":"Mark even more CI-related emails as read"}},{"before":"ba5073a1e52764f7ed93a83a48fe9c466ec5dc20","after":"382cd936163f29c2e05e16319deb168ab47565d3","ref":"refs/heads/main","pushedAt":"2024-04-09T20:57:18.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Mark more CI-related emails as read\n\nSame as the above rule, but for the Beta cluster. (Nested allof + anyof,\nfor “to that account with either of these subjects”, is apparently not\nsupported, so just duplicate the rule.)","shortMessageHtmlLink":"Mark more CI-related emails as read"}},{"before":"5605c52d53c51ef02604a62c55d10b7a93544e66","after":"ba5073a1e52764f7ed93a83a48fe9c466ec5dc20","ref":"refs/heads/main","pushedAt":"2024-04-02T20:44:21.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Update Wikibase UG List-Id header\n\nsurely that Telegram link will never change and I’ll never have to\nupdate this rule all the time","shortMessageHtmlLink":"Update Wikibase UG List-Id header"}},{"before":"c7c5d5ada4762ee629a2b3410b1ca7a0df595256","after":"5605c52d53c51ef02604a62c55d10b7a93544e66","ref":"refs/heads/main","pushedAt":"2024-03-04T18:29:24.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Only let Unbound bind to port 53\n\nAs far as I can tell, we can’t restrict it to only bind on localhost\nwithout also cutting off its internet access, but at least we can\nprevent it (privileged as it is, with CAP_NET_BIND_SERVICE) from binding\nto other ports. (Note that we allow binding either TCP or UDP, and\neither IPv4 or IPv6. Unbound listens on all four combinations.)","shortMessageHtmlLink":"Only let Unbound bind to port 53"}},{"before":"bca867e5377159d84b6d57b9be12cf402dfa295b","after":"c7c5d5ada4762ee629a2b3410b1ca7a0df595256","ref":"refs/heads/main","pushedAt":"2024-02-15T12:44:40.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Remove `systemctl reset-failed git@*.service` sudo override\n\nI no longer run this command regularly (I stopped the git socket a while\nago and should probably clean up the associated units eventually), so\nlet’s remove this. (Note that, due to the limitations of globbing in\nsudoers, it actually allowed resetting the failed status of arbitrary\nother units as well.)","shortMessageHtmlLink":"Remove <code>systemctl reset-failed git@*.service</code> sudo override"}},{"before":"101bc2dffa6d02686a2b408b37a68857793a6932","after":"bca867e5377159d84b6d57b9be12cf402dfa295b","ref":"refs/heads/main","pushedAt":"2024-01-18T10:52:18.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Tighten dehydrated.service sandbox a bit more\n\nSymlink in the two shared snippets to deny it any access to mail and Tor\ndirectories whatsoever.","shortMessageHtmlLink":"Tighten dehydrated.service sandbox a bit more"}},{"before":"ecbdee047108cd35dece8205c26ec5725c482d07","after":"101bc2dffa6d02686a2b408b37a68857793a6932","ref":"refs/heads/main","pushedAt":"2023-12-31T09:48:13.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Remove three more directories from .gitignore\n\nThey’re already tracked entirely in .git (except for a handful of\nunneeded editor backup files~ that I just removed).","shortMessageHtmlLink":"Remove three more directories from .gitignore"}},{"before":"a7aae707df21c3d39bb8e7523be6e0e923bea391","after":"ecbdee047108cd35dece8205c26ec5725c482d07","ref":"refs/heads/main","pushedAt":"2023-12-31T09:31:39.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Mitigate SMTP Smuggling attack some more\n\nNow that I have Postfix 3.7.9 installed, where this new setting is\navailable. On Postfix 3.9 or later, I’ll be able to remove this, as it\nwill be enabled by default there.","shortMessageHtmlLink":"Mitigate SMTP Smuggling attack some more"}},{"before":"932f2f5969f5a4a5b782d40ec727d49ff925cc1e","after":"a7aae707df21c3d39bb8e7523be6e0e923bea391","ref":"refs/heads/main","pushedAt":"2023-12-22T13:17:57.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Mitigate SMTP Smuggling attack","shortMessageHtmlLink":"Mitigate SMTP Smuggling attack"}},{"before":"d42ae413f015cd22db3c11221e3b4393a236eacd","after":"932f2f5969f5a4a5b782d40ec727d49ff925cc1e","ref":"refs/heads/main","pushedAt":"2023-08-26T17:50:15.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Remove /dovecot/ from .gitignore\n\nThe only file we don’t want to commit is /passwd.db (the passwords are\nhashed but there’s still no reason to let everyone crack them). There\nwas also a private/ directory, with dovecot.{key,pem} symlinks to\nsnakeoil files in /etc/ssl, but that seems to have been unused – I\nrenamed it a month ago and nothing broke.","shortMessageHtmlLink":"Remove /dovecot/ from .gitignore"}},{"before":"0795681a99fb799b3901d734e99fafa11455f0d6","after":"d42ae413f015cd22db3c11221e3b4393a236eacd","ref":"refs/heads/main","pushedAt":"2023-08-26T12:22:26.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Update Minecraft to 1.20.1\n\nAlso update GraalVM while we’re at it.","shortMessageHtmlLink":"Update Minecraft to 1.20.1"}},{"before":"018d62aed58751c0846262e78cc7f83a8123309a","after":"0795681a99fb799b3901d734e99fafa11455f0d6","ref":"refs/heads/main","pushedAt":"2023-08-09T09:27:50.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Add a few more sandboxing directives for apache2.service\n\nImproving the `systemd-analyze security` exposure score from 3.6 to 2.7.","shortMessageHtmlLink":"Add a few more sandboxing directives for apache2.service"}},{"before":"e008202d0f291e4aa10195393896d88d2fba3855","after":"018d62aed58751c0846262e78cc7f83a8123309a","ref":"refs/heads/main","pushedAt":"2023-08-09T09:16:25.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Remove /fail2ban/ from .gitignore","shortMessageHtmlLink":"Remove /fail2ban/ from .gitignore"}},{"before":"bbb77c9bb9684afe7851ce183b8f7e59d4abccba","after":"e008202d0f291e4aa10195393896d88d2fba3855","ref":"refs/heads/main","pushedAt":"2023-07-23T12:02:12.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Use Unbound for SpamAssassin\n\nAccording to journal messages, my spamd was getting blocked by URIBL,\nwhich apparently happens when using a shared DNS resolver such as\nHetzner’s (https://uribl.com/refused.shtml). Avoid this by running\nUnbound as a local recursive DNS server (systemd-resolved is only a stub\nresolver), though we only use it for SpamAssassin, not the rest of the\nsystem (I disabled unbound-resolvconf.service).\n\nUpstream Unbound is pretty well integrated with systemd (including,\napparently, socket activation support), but Debian doesn’t use any of\nthat, shipping its own unit file which is completely unsandboxed. I\ndon’t feel comfortable replacing that unit file (the directive\nExecStartPre=-/usr/libexec/unbound-helper root_trust_anchor_update\nsounds important), but let’s add a lot of sandboxing directives; many of\nthem are based on the upstream service file [1], but with a few\nnoteworthy differences:\n\n- Unbound can chroot() itself depending on its config, and accordingly,\n  the upstream unit file includes CAP_SYS_CHROOT, and only blocks the\n  mount syscall but not the whole @mount system call set. I’m not\n  interested in Unbound doing the chroot() itself (if I want a chroot,\n  I’ll do it via RootDirectory=), so remove that capability and block\n  the whole syscall set.\n\n- Unbound apparently has a “feature” to change kernel sysctls for the\n  whole system to improve its own performance, and therefore does not\n  set ProtectKernelTunables=yes upstream. The feature is disabled by\n  default, and I have no intention of using it (if I want to change a\n  sysctl, I’ll do it in sysctl.d(5)), so add ProtectKernelTunables=yes\n  to the sandbox.\n\nNote that we have to set ReadWritePaths=%S/unbound, not\nStateDirectory=unbound, because StateDirectory= implies it should be\nowned by the service’s User=, which is root instead of unbound. We’re\nstill letting the service setuid() itself, instead of starting it as\nUser=unbound with AmbientCapabilities=, because the latter would\nprobably mean that it keeps the capabilities indefinitely rather than\ndropping them with the setuid(); compare commit 810cb5230c for apache2.\n\n[1]: https://github.com/NLnetLabs/unbound/blob/1e47eea6e3fe7694e3d4e1475fe104b5aceba853/contrib/unbound.service.in","shortMessageHtmlLink":"Use Unbound for SpamAssassin"}},{"before":"20467f5616652ca157c5dcef159677bb9e1bdcdc","after":"bbb77c9bb9684afe7851ce183b8f7e59d4abccba","ref":"refs/heads/main","pushedAt":"2023-07-19T19:40:10.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Add Email filter for cloud-l and update wikitech-l\n\nMark both as seen (read), since I usually read them on my work email\naccount instead; but it’s useful to still be subscribed to them.","shortMessageHtmlLink":"Add Email filter for cloud-l and update wikitech-l"}},{"before":"eb64de8ed4b214a772ad62a6f4e2929f2d6c9e5f","after":"20467f5616652ca157c5dcef159677bb9e1bdcdc","ref":"refs/heads/main","pushedAt":"2023-07-16T14:05:02.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Use debian-spamd user instead of custom spamd user\n\nI’ve been fighting over Debian with this for years (see c806a8f2a7,\nf6352406ce), but it still didn’t work: specifically, the “it” here is\nspamassassin-maintenance.{service,timer}, which was broken, leaving me\nwith very outdated spam definitions. And really, there’s no reason to\nexpect the Debian package to support SpamAssassin being installed under\nantoher user name, even if there was *partial* support for it (see [1]).\nLet’s just use debian-spamd. The package doesn’t need to know that we\nhave our own spamassassin.service (replacing spamd.service).\n\nIn addition to the changes recorded here, I also manually removed the\ndpkg-statoverride entries, removed the spamd group from spamass-milter,\nfixed the ownership of /var/lib/spamassassin and removed the spamd user.\n\n    dpkg-statoverride --remove /var/lib/spamassassin\n    dpkg-statoverride --remove /var/lib/spamassassin/sa-update-keys\n    usermod -rG spamd spamass-milter\n    chown -R debian-spamd: /var/lib/spamassassin/\n    userdel spamd\n\n(I think that was everything, though it’s possible I forgot some other\nmanual steps I did. There was also a bit of manual testing in between –\ne.g., I thought postfix needed to be in the debian-spamd group, but that\nturns out not to be the case, so I removed it again.)\n\n[1]: https://salsa.debian.org/debian/spamassassin/-/merge_requests/2","shortMessageHtmlLink":"Use debian-spamd user instead of custom spamd user"}},{"before":"80a66d259e9513859aaf18af5126a99daf732838","after":"eb64de8ed4b214a772ad62a6f4e2929f2d6c9e5f","ref":"refs/heads/main","pushedAt":"2023-06-19T10:22:03.316Z","pushType":"push","commitsCount":2,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Extend thelounge.service sandbox a bit again\n\nI think these might have been in the old package unit file, not sure.\nFound via `systemd-analyze security thelounge.service`.","shortMessageHtmlLink":"Extend thelounge.service sandbox a bit again"}},{"before":"388647ab0014ab9a10ca0efa0bd26ba3ed4e9832","after":"80a66d259e9513859aaf18af5126a99daf732838","ref":"refs/heads/main","pushedAt":"2023-06-18T22:17:59.234Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Update The Lounge to 4.4.1\n\nTaavi ships the new version now \\o/ so we no longer need the bullseye\nsuite from that repository.\n\nThe package’s unit file now also includes all the sandboxing directives\nI added, so we can remove those. However, we need to add PrivateTmp=yes\nto avoid a bunch of:\n\n[ERROR] Failed to load messages for lucas: Error: SQLITE_IOERR: disk I/O error\n\nwhich `strace`s to EROFS on access(\"/var/tmp\", W_OK|X_OK). I think the\nold unit file might have had PrivateTmp=yes (which would be why I didn’t\nhave it in sandbox.conf before), and it got accidentally removed, but\nI’m not sure.","shortMessageHtmlLink":"Update The Lounge to 4.4.1"}},{"before":"8c586b734e7e1ff37276afa44460c2f30340934e","after":"388647ab0014ab9a10ca0efa0bd26ba3ed4e9832","ref":"refs/heads/main","pushedAt":"2023-06-18T17:18:07.360Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Remove .dpkg-dist file\n\nDidn’t realize this one was included in the Debian 12 commit.","shortMessageHtmlLink":"Remove .dpkg-dist file"}},{"before":"280fcc4ea77dd4176f02a11b601fd7b043eb700d","after":"8c586b734e7e1ff37276afa44460c2f30340934e","ref":"refs/heads/main","pushedAt":"2023-06-18T17:09:42.954Z","pushType":"push","commitsCount":2,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Temporarily restore bullseye packages from Taavi\n\nThe thelounge package isn’t available in the bookworm suite yet.","shortMessageHtmlLink":"Temporarily restore bullseye packages from Taavi"}},{"before":"c0eb4055fe743675d24f3269870c01ace074b1fc","after":"280fcc4ea77dd4176f02a11b601fd7b043eb700d","ref":"refs/heads/main","pushedAt":"2023-06-11T17:24:12.920Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Remove .dpkg-old file\n\nIn advance of Debian 12 (bookworm).","shortMessageHtmlLink":"Remove .dpkg-old file"}},{"before":"a3e59b5a017a0778f9d1e7f1fb72eba3ef575d9d","after":"c0eb4055fe743675d24f3269870c01ace074b1fc","ref":"refs/heads/main","pushedAt":"2023-06-10T14:05:27.754Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Tighten dehydrated.service sandbox a bit further\n\nChange the system call filter from a denylist to an allowlist, and\ndisallow it from binding to any network sockets. Still works (tested by\nadding --force to the comamnd line).","shortMessageHtmlLink":"Tighten dehydrated.service sandbox a bit further"}},{"before":"4a60bb308c9508bb02b49ef469b3df2f100a750b","after":"a3e59b5a017a0778f9d1e7f1fb72eba3ef575d9d","ref":"refs/heads/main","pushedAt":"2023-06-10T13:54:26.439Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Stop advertising git:// URLs\n\nAs WPIA is ramping down, I don’t think a whole lot of people are still\ninterested in cloning this code. Let’s start to sunset code.wpia.club as\nwell, first by no longer advertising git:// URLs; later, I’ll turn off\nthe git service as well. (The direct motivation for this is that random\nrequests against it regularly lead to failed git@* units that I then\nhave to reset-failed manually every few weeks or so.)","shortMessageHtmlLink":"Stop advertising git:// URLs"}},{"before":"c4b5959334e25ae8fe2f32abf168f8f36677f29a","after":"4a60bb308c9508bb02b49ef469b3df2f100a750b","ref":"refs/heads/main","pushedAt":"2023-05-19T09:45:32.525Z","pushType":"push","commitsCount":1,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Add Email filter for Wikitech-l\n\nI’m now on that list as a consequence of [1].\n\n[1]: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/7SGI6GSE34AAZGVTMPUPADBGJDQQXLMA/","shortMessageHtmlLink":"Add Email filter for Wikitech-l"}},{"before":"d2967ad4a9d8b2557cf2c70848b1884d7b94f9c5","after":"c4b5959334e25ae8fe2f32abf168f8f36677f29a","ref":"refs/heads/main","pushedAt":"2023-04-29T15:56:13.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"lucaswerkmeister","name":"Lucas Werkmeister","path":"/lucaswerkmeister","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/2346599?s=80&v=4"},"commit":{"message":"Remove includeSubDomains from Strict-Transport-Security\n\ntmp.lucaswerkmeister.de and [old server name].lucaswerkmeister.de should\nactually keep the ability to connect using HTTP.\n\nNote that conf-available/ssl.conf still has includeSubDomains; that’s\nfine, since it’s only used for subdomains like irc.lucaswerkmeister.de.","shortMessageHtmlLink":"Remove includeSubDomains from Strict-Transport-Security"}}],"hasNextPage":false,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAERGl_pgA","startCursor":null,"endCursor":null}},"title":"Activity · lucaswerkmeister/server-etc"}