Signed-off-by: Rosen Penev <rosenp@gmail.com>

Staging certificates have the advantage that their retry limits are loose.
Therefore they can be obtained quickly when automatic retries are used.
Unfortunately they can not be used for deployments because their CA is not
accepted by clients. Production certificates do not have this limitation, but
their retry limits are strict. For production certificates, automatic retries
can only be performed a few times per hour. This makes automatic obtainment of
certificates tenacious.

With use_auto_staging=1, the advantages of the two certificate types are
combined. Uacme will first obtain a staging certificate. When the staging
certificate is successfully obtained, uacme will switch and obtain a production
certificate. Since the staging certificate has already been successfully
obtained, we can ensure that the production certificate is successfully
obtained in the first attempt. This means that "retries" are performed on the
staging certificate and the production certificate is obtained in the first
attempt.

In summary, this feature enables fast obtaining of production certificates when
automatic retries are used.

By default, this feature is set to use_auto_staging=0, which means that
uacme will behave as before by default.

Signed-off-by: Leonardo Mörlein <git@irrelefant.net>

With this commit, issue_cert() can be called multiple times alternating
between staging and production certificates within a script.

Before this commit, the production state dir was stored in $STATE_DIR.
But in the case of $use_staging=1, this variable was overwritten in
issue_cert() with $STAGING_STATE_DIR. This made it impossible to call
issue_cert() with $use_staging=0 afterwards. Now the production state
dir is stored in $PRODUCTION_STATE_DIR. This way it is not overridden
anymore and issue_cert() can be called multiple times alternating with
production and staging.

Signed-off-by: Leonardo Mörlein <git@irrelefant.net>

mutt: don't use host mailpath definition

The get_bool() functionality was already merged to lib/functions.sh, so
it is redundant in the init script. Remove it.

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>

Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>

Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>

lighttpd: patches from upstream

- ignore Content-Length from backend if 101 Switching Protocols
- close HTTP/2 connection after bad password
- skip cert chain build for self-issued certs
- meson zstd fix
- ls-hpack upstream update
- discard some HTTP/2 DATA frames received after response

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

banip: fix housekeeping

* fix whitelist housekeeping if you switch between normal- and
  'whitelist only' mode

Signed-off-by: Dirk Brenken <dev@brenken.org>

atlas-sw-probe: improve key creation

- Exit start if a probe_key is not present
- Add create_key command to generate a private_key based on the provided username in the atlas config.
- Add registration instruction in /etc/atlas
- Rework script to save probe_key on sysupgrade (the key are now adviced to be placed in the /etc/atlas dir and a link is used to make them accessible in the atlas-sw-scripts etc dir)

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>

banip: update to 0.7.7

 * lots of fixes for many subsystems
 * new messenger group chat service
 * 'abd' temporarily removed due to upstream issue

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

tmux: update to 3.2

openvpn: update to 2.5.2

Fixes two related security vulnerabilities (CVE-2020-15078) which
under very specific circumstances allow tricking a server using delayed
authentication (plugin or management) into returning a PUSH_REPLY before
the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup. In combination with "--auth-gen-token" or
a user-specific token auth solution it can be possible to get access to
a VPN with an otherwise-invalid account.

OpenVPN 2.5.2 also includes other bug fixes and improvements.

Add CI build test script.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>

- switch to $(AUTORELEASE)
- change dependency from libevent2 to libevent2-core

Signed-off-by: Maxim Storchak <m.storchak@gmail.com>

* add a "whitelist only" mode, this option allows to restrict Internet
  access from/to a small number of secure websites/IPs, and block access
  from/to the rest of the Internet.

Signed-off-by: Dirk Brenken <dev@brenken.org>

Use sfdisk to get GPT partition by name as partition names are not
known by the kernel if added via partx.
Make sure physical volume names are unique, if possible correlate
with the disks serial number and/or card's cid.
mkf2fs apparently returns 134 even in case format succeeded, so don't
fail in that case (this fixes rw volumes large enough for F2FS to be
selected by the lvm scripts of uvol).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

Resolve conflicts between OpenWrt's ICU package and the ICU shipped with node.js.

https://github.com/openwrt/packages/issues/15437



Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>

stunnel: update to 5.59

mtools: add new package

openssh: update to 8.6p1

nextdns: Update to version 1.32.0

podman: update to 3.1.1

 - Add support for AppArmor
 - Gracefully stop containers and pods on shutdown

I found out that If you change location of containers to persistent storage instead of tmpfs, starting them will fail unless they have been stopped. If this is the case that reboot has occurred before pods and containers have been stopped, they cannot be started, they have to be removed and re-created. Change in initscript tries to avoid that. Even if containers are running at tmpfs, this won't hurt. Still, if something happens and system hangs/reboots/etc, script won't save you from that. It's just a attempt to make things better.
I also enabled AppArmor support for future possibilities.

Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>

Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>

boost: Bump to version 1.76.0

Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>

This commit updates boost to version 1.76.0

There are no new libraries in this version

More info about Boost 1.76.0 can be found at the usual place [1].

Note: This package update includes a fix merged to Boost.Fiber in [2]
which did not make into this version but it will be present in the next
one. For now, the patch is needed, but it will be removed in version
1.77.0

[1]: https://www.boost.org/users/history/version_1_76_0.html
[2]: https://github.com/boostorg/fiber/pull/276



Signed-off-by: Carlos Miguel Ferreira <carlosmf.pt@gmail.com>

This is a single C file. Don't bother using the Makefile.

Signed-off-by: Rosen Penev <rosenp@gmail.com>

Signed-off-by: Olivier Poitrey <rs@nextdns.io>

uci2: update revision

Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>