1,105
edits
(Created page with "This page documents the FeministWiki's technical infrastructure, the target audience being technicians. == Hosts == The following table documents the DNS configuration, and...") |
Technician (talk | contribs) (→Blog) |
||
(36 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
== Hosts == | == Hosts == | ||
The following table documents the DNS configuration, and can be used as part of the <code>/etc/hosts</code> file on each server to obviate the need for DNS lookups when connecting to one another. | The following table documents the basic DNS configuration, and can be used as part of the <code>/etc/hosts</code> file on each server to obviate the need for DNS lookups when connecting to one another. | ||
{| class="wikitable" | {| class="wikitable" | ||
!IP !! FQDN !! Host | !IP !! FQDN !! Host !! Purpose | ||
|- | |- | ||
|85.214.101.34 || feministwiki.org || | |85.214.101.34 || feministwiki.org || || Wiki | ||
|- | |- | ||
|85.214.101.34 || www.feministwiki.org || www | |85.214.101.34 || www.feministwiki.org || www || Wiki | ||
|- | |- | ||
|85.214.101.34 || ldap.feministwiki.org || ldap | |85.214.101.34 || ldap.feministwiki.org || ldap || LDAP | ||
|- | |- | ||
|85.214.101.34 || | |85.214.101.34 || blog.feministwiki.org || blog || Blogging | ||
|- | |- | ||
|85.214.101.34 || | |85.214.101.34 || chat.feministwiki.org || chat || Web-client for XMPP | ||
|- | |- | ||
|85.214.101.34 || | |85.214.101.34 || forum.feministwiki.org || forum || BBS Forum | ||
|- | |- | ||
|85.214.101.34 || | |85.214.101.34 || mail.feministwiki.org || mail || Web-client for Mail | ||
|- | |- | ||
|85.214.101.34 || | |85.214.101.34 || files.feministwiki.org || files || File storage | ||
|- | |- | ||
|85.214.101.34 || | |85.214.101.34 || imap.feministwiki.org || imap || IMAP | ||
|- | |- | ||
|85.214.101.34 || | |85.214.101.34 || pop3.feministwiki.org || pop3 || POP3 | ||
|- | |- | ||
|85.214.101.34 || | |85.214.101.34 || smtp.feministwiki.org || smtp || SMTP | ||
|- | |- | ||
|85.214.101.34 || | |85.214.101.34 || xmpp.feministwiki.org || xmpp || XMPP | ||
|- | |- | ||
|85.214.101.34 || add-member.feministwiki.org || add-member | |85.214.101.34 || irc.feministwiki.org || irc || IRC | ||
|- | |||
|85.214.101.34 || social.feministwiki.org || social || GNU social | |||
|- | |||
|85.214.101.34 || add-member.feministwiki.org || add-member || Add a member | |||
|} | |} | ||
(As you can see, all services are on the same server for now.) | (As you can see, all services are on the same server for now.) | ||
== Special DNS entries == | |||
For CAA: | |||
{| class="wikitable" | |||
!Type !! Name !! Flag !! Tag !! Value | |||
|- | |||
|CAA || @ || 0 || issue || letsencrypt.org | |||
|- | |||
|CAA || @ || 0 || iodef || admin@feministwiki.org | |||
|} | |||
For email: | |||
{| class="wikitable" | |||
!Type !! Host !! Data !! Purpose | |||
|- | |||
|MX || @ || smtp.feministwiki.org || Mail server | |||
|- | |||
|TXT || @ || v=spf1 mx -all || SPF | |||
|- | |||
|TXT || mail._domainkey || v=DKIM1; k=rsa; p=<pubkey> || DKIM | |||
|- | |||
|TXT || _dmarc || v=DMARC1; p=reject; rua=<nowiki>mailto:admin</nowiki>@feministwiki.org || DMARC | |||
|} | |||
For XMPP: | |||
{| class="wikitable" | |||
!Type !! Service !! Protocol !! Name !! Destination !! Port | |||
|- | |||
|SRV || _xmpp-client || _tcp || @ || xmpp.feministwiki.org || 5222 | |||
|- | |||
|SRV || _xmpp-server || _tcp || @ || xmpp.feministwiki.org || 5269 | |||
|} | |||
Google Site Verification: | |||
{| class="wikitable" | |||
!Type !! Host !! Data | |||
|- | |||
|TXT || @ || google-site-verification=<key> | |||
|} | |||
== SSH access == | |||
FeministWiki hosts have ssh enabled for <code>root</code> access, but password login is disabled. You must own a valid private key to log in. | |||
== Git repo of scripts and configuration == | |||
The following GitHub account hosts repositories with scripts and configuration used by the FeministWiki: | |||
https://github.com/FeministWiki | |||
== Certs == | == Certs == | ||
Line 41: | Line 99: | ||
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication. | The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication. | ||
To ease use of the letsencrypt command, the file <code>/root/domains</code> contains all the FQDNs used by the FeministWiki, one per line | To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line. Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following commands while TCP port 80 is free (e.g. stop Apache first): | ||
# Use $() to eliminate the terminating newline, if any. | |||
domains=$(cat /root/etc/domains) | |||
domains=$(printf '%s' "$domains" | tr '\n' ',') | |||
letsencrypt certonly --authenticator standalone --keep --expand -d "$domains" | |||
Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file: | Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file: | ||
Line 52: | Line 115: | ||
The script <code>/root/bin/letsencrypt-refresh</code> '''does all of the above''', so in practice you just need to run the following commands to recreate the cert: | The script <code>/root/bin/letsencrypt-refresh</code> '''does all of the above''', so in practice you just need to run the following commands to recreate the cert: | ||
service apache2 stop | service apache2 stop # Assuming Apache is running on the machine | ||
letsencrypt-refresh | letsencrypt-refresh | ||
service apache2 start | service apache2 start | ||
The above can be used not only to refresh a cert that's running out, but also to add a new domain to the cert. Just add the domain to <code>/root/domains</code> and run the commands. | The above can be used not only to refresh a cert that's running out, but also to add a new domain to the cert. Just add the domain to <code>/root/etc/domains</code> and run the commands. | ||
Note that the letsencrypt command | Note that the letsencrypt command may not work well on a "dumb" terminal such as an Emacs shell buffer. If in doubt, run it from within a proper terminal emulator. | ||
=== Readability of the key files === | |||
To ensure that processes running under unprivileged users can read key files, ensure that the users they run under are members of the <code>ssl-cert</code> group, which should have read access to the files in <code>/etc/letsencrypt/live/feministwiki.org</code>. | |||
== Services == | == Services == | ||
Line 64: | Line 131: | ||
This section documents the individual services of the FeministWiki. They should work regardless of what server they're on. I.e. every service could in theory be hosted on its own server. | This section documents the individual services of the FeministWiki. They should work regardless of what server they're on. I.e. every service could in theory be hosted on its own server. | ||
=== | === LDAP === | ||
Host: ldap.feministwiki.org <br/> | |||
Software: OpenLDAP | |||
The LDAP service contains the central database of FeministWiki members. The structure looks like this: | |||
* dc=feministwiki,dc=org | |||
** ou=members | |||
*** cn=''username'' <br/> objectClass: inetOrgPerson <br/> cn: ''username'' <br/> uid: ''username'' <br/> sn: - <br/> userPassword: {SSHA}''saltedhash'' <br/> mail: ''username''@feministwiki.org | |||
*** cn=''username2'' <br/> objectClass: inetOrgPerson <br/> cn: ''username2'' <br/> uid: ''username2'' <br/> sn: - <br/> userPassword: {SSHA}''saltedhash2'' <br/> mail: ''username2''@feministwiki.org <br/> manager: cn=''username'',ou=members,dc=feministwiki,dc=org | |||
*** ... | |||
** ou=groups | |||
*** cn=members <br/> objectClass: groupOfNames <br/> cn: members <br/> member: ''username'' <br/> member: ''username2'' <br/> member: ... | |||
Notes: | |||
* The <code>cn</code> (common name) and <code>uid</code> (user ID) fields both contain the username. This is because some software is preconfigured to look at <code>uid</code>, while most look at <code>cn</code>. | |||
* The <code>sn</code> (surname) field simply contains a minus character as a placeholder, because it's a mandatory field. | |||
* The <code>manager</code> field is optional and we use it to record the member who added the member in question. | |||
To make sure passwords are stored with the <code>{SSHA}</code> scheme rather than plain text, the <code>ppolicy</code> "password policy overlay" is used. ZYTRAX has a very nice book about LDAP which documents how to enable this: http://www.zytrax.com/books/ldap/ch6/ppolicy.html | |||
In short, the steps go as follows (these commands ''should'' work verbatim): | |||
# Add the ppolicy schema | |||
ldapadd -Y external -H ldapi:/// < /etc/ldap/schema/ppolicy.ldif | |||
# Enable the ppolicy dynamic module | |||
ldapmodify -Y external -H ldapi:/// <<EOF | |||
dn: cn=module{0},cn=config | |||
changetype: modify | |||
add: olcModuleLoad | |||
olcModuleLoad: ppolicy | |||
EOF | |||
# Add the ppolicy overlay with olcPPolicyHashCleartext set to TRUE | |||
ldapadd -Y external -H ldapi:/// <<EOF | |||
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config | |||
objectClass: olcPPolicyConfig | |||
olcOverlay: ppolicy | |||
olcPPolicyHashCleartext: TRUE | |||
EOF | |||
=== Wiki === | |||
Host: feministwiki.org, www.feministwiki.org <br/> | |||
Software: MediaWiki | Software: MediaWiki | ||
( | The wiki uses a [https://www.mediawiki.org/wiki/MediaWiki MediaWiki] installation located at <code>/var/www/wiki/w</code> with the [https://www.mediawiki.org/wiki/Extension:LDAP_Authentication LDAP Authentication] plugin for login management and the "Short URL" feature enabled with help of Apache's vhost configuration, which is located at <code>/etc/apache2/sites-available/wiki.conf</code>. | ||
The wiki uses the SQL database called "feministwiki" and the SQL user of the same name. | |||
=== Blog === | |||
Host: blog.feministwiki.org <br/> | |||
Software: WordPress | |||
This is a fairly standard WordPress installation in <code>/var/www/blog</code>, with LDAP authentication enabled via the AD/LDAP plugin from miniOrange. | |||
Users from LDAP are registered as "subscriber" by default, and the admin has to change their WordPress role manually to allow contribution, authoring, or editing. | |||
The permalink structure configured in WordPress is <code>/p/%author%/%year%/%monthnum%/%postname%/</code>, where Apache handles the rewrite from <code>/p/</code> to <code>/index.php/</code> for it to actually work. | |||
WordPress uses the SQL database called "feministblog" and an SQL user of the same name. | |||
=== Chat (web interface) === | |||
Host: chat.feministwiki.org <br/> | |||
Software: Converse.js | |||
The web-interface for the FeministChat uses the full-screen "Impress" variant of the [https://conversejs.org/ Converse.js] XMPP client. The hosted HTML and JS files are located at <code>/var/www/chat</code>, although they load Converse.js as an external script from upstream, which is why the self-hosted HTML and JS are very minimal. | |||
=== Forum === | |||
Host: forum.feministwiki.org <br/> | |||
Software: phpBB | |||
The forum uses a [https://www.phpbb.com/ phpBB] installation located at <code>/var/www/forum</code>. Most configuration of phpBB, including LDAP authentication, is done through its administration panel. The style used by the forum is essentially Basic Orange, though the logo is changed via an inheriting style called FeministWiki. | |||
The forum uses the SQL database called "feministforum" and the SQL user of the same name. | |||
=== Mail (web interface) === | |||
Host: mail.feministwiki.org <br/> | |||
Software: Roundcube | |||
The web-interface for the FeministMail uses the [https://roundcube.net/ Roundcube] mail client, installed at <code>/var/www/mail</code>. It uses the standard "larry" style, but with some tweaks to logos and images. | |||
=== Files === | |||
Host: files.feministwiki.org <br/> | |||
Software: Nextcloud | |||
FeministFiles is a [https://nextcloud.com/ Nextcloud] installation with some branding, and LDAP authentication, installed at <code>/var/www/files</code>. | |||
=== IMAP === | |||
Host: imap.feministwiki.org <br/> | |||
Software: Dovecot | |||
FeministMail uses the [https://www.dovecot.org/ Dovecot] IMAP server, configured for LDAP authentication and using virtual mail boxes under <code>/home/vmail</code>. | |||
=== POP3 === | |||
Host: pop3.feministwiki.org <br/> | |||
Software: Dovecot | |||
While Dovecot is primarily an IMAP server, it also offers POP3 support, which the FeministWiki installation has enabled. | |||
=== SMTP === | |||
Host: smtp.feministwiki.org <br/> | |||
Software: Postfix, OpenDKIM | |||
FeministMail uses the [http://www.postfix.org/ Postfix] SMTP server, using SASL authentication through Dovecot, LDAP-based virtual mail boxes under <code>/home/vmail</code>, and DKIM signing via OpenDKIM. Send a mail to a Gmail account and use the "Show original" feature of Gmail to see if the mail passes SPF, DKIM, and DMARC tests. | |||
There are also various tools on the web to automatically test the DNS settings for correctness, to check if the domain/IP is on blacklists, etc., which you can find via Google. All in all, FeministMail is probably the most complicated service of the FeministWiki, as far as technical background goes. | |||
=== XMPP === | |||
Host: xmpp.feministwiki.org <br/> | |||
Software: ejabberd | |||
FeministChat uses the [https://www.ejabberd.im/ ejabberd] XMPP server, configured to use LDAP authentication and an LDAP-based shared roster group for all members. | |||
=== IRC === | |||
Host: irc.feministwiki.org <br/> | |||
Software: InspIRCd | |||
FeministIRC uses the [http://www.inspircd.org/ InspIRCd] IRC server with the <code>ldapauth</code> module for LDAP authentication. | |||
=== Add a member === | |||
Host: add-member.feministwiki.org <br/> | |||
Software: custom | |||
The page to add a new member, hosted at <code>/var/www/add-member</code>, uses a bit of self-written HTML, PHP, and a setuid-root C program to invoke the shell script located at <code>/root/bin/fw-adduser</code> with root privileges. |