FeministWiki:Technical documentation: Difference between revisions

(20 intermediate revisions by 2 users not shown)
Line 3: Line 3:
== Hosts ==
== Hosts ==


The following table documents the DNS configuration, and can be used as part of the <code>/etc/hosts</code> file on each server to obviate the need for DNS lookups when connecting to one another.
The following table documents the basic DNS configuration, and can be used as part of the <code>/etc/hosts</code> file on each server to obviate the need for DNS lookups when connecting to one another.


{| class="wikitable"
{| class="wikitable"
Line 13: Line 13:
|-
|-
|85.214.101.34 ||      ldap.feministwiki.org || ldap          || LDAP
|85.214.101.34 ||      ldap.feministwiki.org || ldap          || LDAP
|-
|85.214.101.34 ||      blog.feministwiki.org || blog          || Blogging
|-
|-
|85.214.101.34 ||      chat.feministwiki.org || chat          || Web-client for XMPP
|85.214.101.34 ||      chat.feministwiki.org || chat          || Web-client for XMPP
Line 23: Line 25:
|-
|-
|85.214.101.34 ||      imap.feministwiki.org || imap          || IMAP
|85.214.101.34 ||      imap.feministwiki.org || imap          || IMAP
|-
|85.214.101.34 ||      pop3.feministwiki.org || pop3          || POP3
|-
|-
|85.214.101.34 ||      smtp.feministwiki.org || smtp          || SMTP
|85.214.101.34 ||      smtp.feministwiki.org || smtp          || SMTP
Line 36: Line 40:


(As you can see, all services are on the same server for now.)
(As you can see, all services are on the same server for now.)
== Special DNS entries ==
For CAA:
{| class="wikitable"
!Type !! Name !! Flag !! Tag  !! Value         
|-
|CAA  || @    || 0    || issue || letsencrypt.org
|-
|CAA  || @    || 0    || iodef || admin@feministwiki.org
|}
For email:
{| class="wikitable"
!Type !! Host            !! Data                                                                  !! Purpose
|-
|MX  || @              || smtp.feministwiki.org                                                  || Mail server
|-
|TXT  || @              || v=spf1 mx -all                                                        || SPF
|-
|TXT  || mail._domainkey || v=DKIM1; k=rsa; p=<pubkey>                                            || DKIM
|-
|TXT  || _dmarc          || v=DMARC1; p=reject; rua=<nowiki>mailto:admin</nowiki>@feministwiki.org || DMARC
|}
For XMPP:
{| class="wikitable"
!Type !! Service      !! Protocol !! Name !! Destination          !! Port
|-
|SRV  || _xmpp-client || _tcp    || @    || xmpp.feministwiki.org || 5222
|-
|SRV  || _xmpp-server || _tcp    || @    || xmpp.feministwiki.org || 5269
|}
Google Site Verification:
{| class="wikitable"
!Type !! Host            !! Data
|-
|TXT  || @              || google-site-verification=<key>
|}


== SSH access ==
== SSH access ==
Line 51: Line 99:
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.


To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line.  Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following command while TCP port 80 is free (e.g. stop Apache first):
To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line.  Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following commands while TCP port 80 is free (e.g. stop Apache first):


letsencrypt certonly --authenticator standalone -d "$(tr '\n' ',' < /root/etc/domains)"
  # Use $() to eliminate the terminating newline, if any.
  domains=$(cat /root/etc/domains)
 
  domains=$(printf '%s' "$domains" | tr '\n' ',')
 
  letsencrypt certonly --authenticator standalone --keep --expand -d "$domains"


Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file:
Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file:
Line 68: Line 121:
The above can be used not only to refresh a cert that's running out, but also to add a new domain to the cert.  Just add the domain to <code>/root/etc/domains</code> and run the commands.
The above can be used not only to refresh a cert that's running out, but also to add a new domain to the cert.  Just add the domain to <code>/root/etc/domains</code> and run the commands.


Note that the letsencrypt command doesn't work well on a "dumb" terminal such as an Emacs shell buffer.  Make sure to run it from within a proper terminal emulator.
Note that the letsencrypt command may not work well on a "dumb" terminal such as an Emacs shell buffer.  If in doubt, run it from within a proper terminal emulator.
 
=== Readability of the key files ===
 
To ensure that processes running under unprivileged users can read key files, ensure that the users they run under are members of the <code>ssl-cert</code> group, which should have read access to the files in <code>/etc/letsencrypt/live/feministwiki.org</code>.


== Services ==
== Services ==
Line 125: Line 182:


The wiki uses the SQL database called "feministwiki" and the SQL user of the same name.
The wiki uses the SQL database called "feministwiki" and the SQL user of the same name.
=== Blog ===
Host: blog.feministwiki.org <br/>
Software: WordPress
This is a fairly standard WordPress installation in <code>/var/www/blog</code>, with LDAP authentication enabled via the AD/LDAP plugin from miniOrange.
Users from LDAP are registered as "subscriber" by default, and the admin has to change their WordPress role manually to allow contribution, authoring, or editing.
The permalink structure configured in WordPress is <code>/p/%author%/%year%/%monthnum%/%postname%/</code>, where Apache handles the rewrite from <code>/p/</code> to <code>/index.php/</code> for it to actually work.
WordPress uses the SQL database called "feministblog" and an SQL user of the same name.


=== Chat (web interface) ===
=== Chat (web interface) ===
Line 138: Line 208:
Software: phpBB
Software: phpBB


The forum uses a [https://www.phpbb.com/ phpBB] installation located at <code>/var/www/forum</code>.  The style is a copy of the "orange" variant of the "basic" style, with only the logo swapped.
The forum uses a [https://www.phpbb.com/ phpBB] installation located at <code>/var/www/forum</code>.  Most configuration of phpBB, including LDAP authentication, is done through its administration panel.  The style used by the forum is essentially Basic Orange, though the logo is changed via an inheriting style called FeministWiki.
 
Most configuration of phpBB, including LDAP authentication, is done through its administration panel.


The forum uses the SQL database called "feministforum" and the SQL user of the same name.
The forum uses the SQL database called "feministforum" and the SQL user of the same name.
Line 164: Line 232:


FeministMail uses the [https://www.dovecot.org/ Dovecot] IMAP server, configured for LDAP authentication and using virtual mail boxes under <code>/home/vmail</code>.
FeministMail uses the [https://www.dovecot.org/ Dovecot] IMAP server, configured for LDAP authentication and using virtual mail boxes under <code>/home/vmail</code>.
=== POP3 ===
Host: pop3.feministwiki.org <br/>
Software: Dovecot
While Dovecot is primarily an IMAP server, it also offers POP3 support, which the FeministWiki installation has enabled.


=== SMTP ===
=== SMTP ===


Host: smtp.feministwiki.org <br/>
Host: smtp.feministwiki.org <br/>
Software: Postfix
Software: Postfix, OpenDKIM
 
FeministMail uses the [http://www.postfix.org/ Postfix] SMTP server, using SASL authentication through Dovecot, LDAP-based virtual mail boxes under <code>/home/vmail</code>, and DKIM signing via OpenDKIM.  Send a mail to a Gmail account and use the "Show original" feature of Gmail to see if the mail passes SPF, DKIM, and DMARC tests.


FeministMail uses the [http://www.postfix.org/ Postfix] SMTP server, using SASL authentication through Dovecot and LDAP-based virtual mail boxes under <code>/home/vmail</code>.
There are also various tools on the web to automatically test the DNS settings for correctness, to check if the domain/IP is on blacklists, etc., which you can find via Google. All in all, FeministMail is probably the most complicated service of the FeministWiki, as far as technical background goes.


=== XMPP ===
=== XMPP ===