FeministWiki:Technical documentation

    From FeministWiki
    Revision as of 17:34, 9 September 2018 by SocJusWiz (talk | contribs) (→‎LDAP)

    This page documents the FeministWiki's technical infrastructure, the target audience being technicians.

    Hosts

    The following table documents the DNS configuration, and can be used as part of the /etc/hosts file on each server to obviate the need for DNS lookups when connecting to one another.

    IP FQDN Host Purpose
    85.214.101.34 feministwiki.org Wiki
    85.214.101.34 www.feministwiki.org www Wiki
    85.214.101.34 ldap.feministwiki.org ldap LDAP
    85.214.101.34 chat.feministwiki.org chat Web-client for XMPP
    85.214.101.34 forum.feministwiki.org forum BBS Forum
    85.214.101.34 mail.feministwiki.org mail Web-client for Mail
    85.214.101.34 files.feministwiki.org files File storage
    85.214.101.34 imap.feministwiki.org imap IMAP
    85.214.101.34 smtp.feministwiki.org smtp SMTP
    85.214.101.34 xmpp.feministwiki.org xmpp XMPP
    85.214.101.34 irc.feministwiki.org irc IRC
    85.214.101.34 social.feministwiki.org social GNU social
    85.214.101.34 add-member.feministwiki.org add-member Add a member

    (As you can see, all services are on the same server for now.)

    SSH access

    FeministWiki hosts have ssh enabled for root access, but password login is disabled. You must own a valid private key to log in.

    Git repo of scripts and configuration

    The following GitHub account hosts repositories with scripts and configuration used by the FeministWiki:

    https://github.com/FeministWiki

    Certs

    The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.

    To ease use of the letsencrypt command, the file /root/etc/domains contains all the FQDNs used by the FeministWiki, one per line. Given that, the preferred way to populate the /etc/letsencrypt/live/feministwiki.org directory with fresh certs is to run the following command while TCP port 80 is free (e.g. stop Apache first):

    letsencrypt certonly --authenticator standalone -d "$(tr '\n' ',' < /root/etc/domains)"
    

    Additionally, for programs that require a cert file and its private key in a single combined .pem file, run the following commands to generate such a file:

    cd /etc/letsencrypt/live/feministwiki.org
    cat fullchain.pem privkey.pem > certbundle.pem
    

    The script /root/bin/letsencrypt-refresh does all of the above, so in practice you just need to run the following commands to recreate the cert:

    service apache2 stop  # Assuming Apache is running on the machine
    letsencrypt-refresh
    service apache2 start
    

    The above can be used not only to refresh a cert that's running out, but also to add a new domain to the cert. Just add the domain to /root/etc/domains and run the commands.

    Note that the letsencrypt command doesn't work well on a "dumb" terminal such as an Emacs shell buffer. Make sure to run it from within a proper terminal emulator.

    Services

    This section documents the individual services of the FeministWiki. They should work regardless of what server they're on. I.e. every service could in theory be hosted on its own server.

    LDAP

    Host: ldap.feministwiki.org
    Software: OpenLDAP

    The LDAP service contains the central database of FeministWiki members. The structure looks like this:

    • dc=feministwiki,dc=org
      • ou=members
        • cn=username
          objectClass: inetOrgPerson
          cn: username
          uid: username
          sn: -
          userPassword: {SSHA}saltedhash
          mail: username@feministwiki.org
        • cn=username2
          objectClass: inetOrgPerson
          cn: username2
          uid: username2
          sn: -
          userPassword: {SSHA}saltedhash2
          mail: username2@feministwiki.org
          manager: cn=username,ou=members,dc=feministwiki,dc=org
        • ...
      • ou=groups
        • cn=members
          objectClass: groupOfNames
          cn: members
          member: username
          member: username2
          member: ...

    Notes:

    • The cn (common name) and uid (user ID) fields both contain the username. This is because some software is preconfigured to look at uid, while most look at cn.
    • The sn (surname) field simply contains a minus character as a placeholder, because it's a mandatory field.
    • The manager field is optional and we use it to record the member who added the member in question.

    To make sure passwords are stored with the {SSHA} scheme rather than plain text, the ppolicy "password policy overlay" is used. ZYTRAX has a very nice book about LDAP which documents how to enable this: http://www.zytrax.com/books/ldap/ch6/ppolicy.html

    In short, the steps go as follows (these commands should work verbatim):

    # Add the ppolicy schema
    ldapadd -Y external -H ldapi:/// < /etc/ldap/schema/ppolicy.ldif
    
    # Enable the ppolicy dynamic module
    ldapmodify -Y external -H ldapi:/// <<EOF
    dn: cn=module{0},cn=config
    changetype: modify
    add: olcModuleLoad
    olcModuleLoad: ppolicy
    EOF
    
    # Add the ppolicy overlay with olcPPolicyHashCleartext set to TRUE
    ldapadd -Y external -H ldapi:/// <<EOF
    dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
    objectClass: olcPPolicyConfig
    olcOverlay: ppolicy
    olcPPolicyHashCleartext: TRUE
    EOF
    

    Wiki

    Host: feministwiki.org, www.feministwiki.org
    Software: MediaWiki

    (continue here)