Support

/jabali-admin/support. Produce an encrypted diagnostic bundle for the upstream maintainers, then open a mailto: ticket. M29.

Bundle contents

  • Panel version and commit SHA.
  • journalctl -u jabali-panel -u jabali-agent -u nginx -u mariadb --since 24h (redacted).
  • nginx -T output (server names and SSL cert paths kept; certificate bodies stripped).
  • /etc/jabali/*.toml and /etc/php/*/fpm/pool.d/jabali-*.conf (DB passwords and API tokens scrubbed).
  • DB schema (mysqldump --no-data) and row counts (no data).
  • systemctl list-unit-files | grep jabali.
  • jabali repair --diagnose output.
  • AIDE last-diff report.

Mandatory redaction

Every line passes through a redactor that:

  • Truncates non-RFC1918 IPv4 / IPv6 addresses to a /24 (or /64) prefix.
  • Replaces email addresses with <redacted-email>.
  • Strips bearer tokens, API tokens, passwords, and database connection strings.

The redactor is one of the M29 advisor’s critical findings. Operators cannot disable it from the UI.

Encryption

The bundle is encrypted in the agent with the recipient’s public key. The default recipient public key is the maintainers’ (baked into the panel image); override under Server Settings → Support → Recipient Public Key if you contract a different support party.

Encryption is mandatory; the bundle is never written to disk in plaintext.

Delivery

The page opens a mailto:webmaster@jabali-panel.com (or the operator-configured recipient address) with the encrypted bundle attached. No HTTP upload to a third-party service. This keeps the panel installable on air-gapped or restricted-egress hosts.

Why no auto-upload

Operator policy varies. Some organisations require that no diagnostic data leaves the host without explicit operator action; some require encryption against a specific key. Putting the operator in the loop on every bundle satisfies both requirements.

CLI

jabali admin diag bundle                            # write to /var/lib/jabali/support/
jabali admin diag bundle --recipient-key /path/to/pubkey.asc

The CLI variant produces the encrypted file but does not attempt to email it; the operator handles delivery.