Jump to content

FeministWiki:Technical documentation: Difference between revisions

FeministWiki:Technical documentation (view source)

Revision as of 21:15, 21 December 2019

769 bytes removed ,  21 December 2019
→‎Custom repos
(11 intermediate revisions by the same user not shown)
Line 34: Line 34:
|85.214.101.34 ||        irc.feministwiki.org || irc          || IRC                    || 6697
|85.214.101.34 ||        irc.feministwiki.org || irc          || IRC                    || 6697
|-
|-
|85.214.101.34 || add-member.feministwiki.org || add-member    || Add a member            || 80, 443
|85.214.101.34 ||   account.feministwiki.org || account      || Account operations      || 80, 443
|}
|}


Line 68: Line 68:
|TXT  || _dmarc          || v=DMARC1; p=reject; rua=<nowiki>mailto:admin</nowiki>@feministwiki.org || DMARC
|TXT  || _dmarc          || v=DMARC1; p=reject; rua=<nowiki>mailto:admin</nowiki>@feministwiki.org || DMARC
|}
|}
'''Note:''' There must be a direct A or AAAA record (not a CNAME record) for the domain name specified in the MX record.


For XMPP:
For XMPP:
Line 115: Line 117:
  cat fullchain.pem privkey.pem > certbundle.pem
  cat fullchain.pem privkey.pem > certbundle.pem


The script <code>/root/bin/letsencrypt-refresh</code> '''does all of the above''', so in practice you just need to run the following commands to recreate the cert:
The script <code>/root/bin/letsencrypt-refresh</code> '''does all of the above''' automatically.  It stops Apache, runs the commands described above, and starts Apache again.  This can be used not only to refresh a cert that's running out, but also to add a new domain to the cert.  Just add the domain to <code>/root/etc/domains</code> and run the commands.  Note that the letsencrypt command may not work well on a "dumb" terminal such as an Emacs shell buffer.  If in doubt, run it from within a proper terminal emulator.


service apache2 stop  # Assuming Apache is running on the machine
=== Readability of the key files ===
letsencrypt-refresh
service apache2 start


The above can be used not only to refresh a cert that's running out, but also to add a new domain to the cert.  Just add the domain to <code>/root/etc/domains</code> and run the commands.
To ensure that processes running under unprivileged users can read key files, ensure that the users they run under are members of the <code>ssl-cert</code> group, which should have read access to the files in <code>/etc/letsencrypt/live/feministwiki.org</code>.


Note that the letsencrypt command may not work well on a "dumb" terminal such as an Emacs shell buffer.  If in doubt, run it from within a proper terminal emulator.
== Ubuntu package repositories ==


=== Readability of the key files ===
Currently, FeministWiki runs on Ubuntu 16.04 LTS (Xenial), which has rather old Apache and PHP packages.  We use the Ubuntu PPAs <code>ondrej/apache2</code> and <code>ondrej/php</code> to get newer versions.


To ensure that processes running under unprivileged users can read key files, ensure that the users they run under are members of the <code>ssl-cert</code> group, which should have read access to the files in <code>/etc/letsencrypt/live/feministwiki.org</code>.
For F-Droid packages, we use the <code>fdroid/fdroidserver</code> Ubuntu PPA.


== Services ==
== Services ==
Line 138: Line 138:
Software: OpenLDAP
Software: OpenLDAP


The LDAP service contains the central database of FeministWiki members.  The structure looks like this:
The LDAP service contains the central database of FeministWiki members.  For details on the LDAP schema, see [[FeministWiki:LDAP Schema]].
 
* dc=feministwiki,dc=org
** ou=members
*** cn=''username'' <br/> objectClass: inetOrgPerson <br/> cn: ''username'' <br/> uid: ''username'' <br/> sn: - <br/> userPassword: {SSHA}''saltedhash'' <br/> mail: ''username''@feministwiki.org
*** cn=''username2'' <br/> objectClass: inetOrgPerson <br/> cn: ''username2'' <br/> uid: ''username2'' <br/> sn: - <br/> userPassword: {SSHA}''saltedhash2'' <br/> mail: ''username2''@feministwiki.org <br/> manager: cn=''username'',ou=members,dc=feministwiki,dc=org
*** ...
** ou=groups
*** cn=members <br/> objectClass: groupOfNames <br/> cn: members <br/> member: ''username'' <br/> member: ''username2'' <br/> member: ...
 
Notes:
* The <code>cn</code> (common name) and <code>uid</code> (user ID) fields both contain the username.  This is because some software is preconfigured to look at <code>uid</code>, while most look at <code>cn</code>.
* The <code>sn</code> (surname) field simply contains a minus character as a placeholder, because it's a mandatory field.
* The <code>manager</code> field is optional and we use it to record the member who added the member in question.
 
To make sure passwords are stored with the <code>{SSHA}</code> scheme rather than plain text, the <code>ppolicy</code> "password policy overlay" is used.  ZYTRAX has a very nice book about LDAP which documents how to enable this: http://www.zytrax.com/books/ldap/ch6/ppolicy.html
 
In short, the steps go as follows (these commands ''should'' work verbatim):
 
# Add the ppolicy schema
ldapadd -Y external -H ldapi:/// < /etc/ldap/schema/ppolicy.ldif
# Enable the ppolicy dynamic module
ldapmodify -Y external -H ldapi:/// <<EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
EOF
# Add the ppolicy overlay with olcPPolicyHashCleartext set to TRUE
ldapadd -Y external -H ldapi:/// <<EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyHashCleartext: TRUE
EOF


=== Wiki ===
=== Wiki ===
Line 248: Line 212:


There are also various tools on the web to automatically test the DNS settings for correctness, to check if the domain/IP is on blacklists, etc., which you can find via Google.  All in all, FeministMail is probably the most complicated service of the FeministWiki, as far as technical background goes.
There are also various tools on the web to automatically test the DNS settings for correctness, to check if the domain/IP is on blacklists, etc., which you can find via Google.  All in all, FeministMail is probably the most complicated service of the FeministWiki, as far as technical background goes.
=== Mailing lists ===
Email domain: lists.feministwiki.org <br/>
Software: GNU Mailman, Postfix
Postfix is configured to recognize <code>lists.feministwiki.org</code> as a "local" domain.  This means it uses the file specified in the <code>alias_maps</code> configuration directive (typically <code>/etc/aliases</code>) to decide the final recipient of an e-mail sent to this domain.  Correspondingly, we populate <code>/etc/aliases</code> with the aliases needed by Mailman to operate each mailing list it controls.
Note that there is no DNS entry for <code>lists.feministwiki.org</code> because e-mail software just checks the MX record for <code>feministwiki.org</code> when the recipient is from the domain <code><em>anything</em>.feministwiki.org</code>.


=== XMPP ===
=== XMPP ===
Line 263: Line 236:
FeministIRC uses the [http://www.inspircd.org/ InspIRCd] IRC server with the <code>ldapauth</code> module for LDAP authentication.
FeministIRC uses the [http://www.inspircd.org/ InspIRCd] IRC server with the <code>ldapauth</code> module for LDAP authentication.


=== Add a member ===
=== Account operations ===


Host: add-member.feministwiki.org <br/>
Host: account.feministwiki.org <br/>
Software: custom
Software: custom


The page to add a new member, hosted at <code>/var/www/add-member</code>, uses a bit of self-written HTML, PHP, and a setuid-root C program to invoke the shell script located at <code>/root/bin/fw-adduser</code> with root privileges.
This custom web interface hosted at <code>/var/www/account</code> lets you complete several tasks related to FeministWiki membership, such as changing your account settings, resetting your password, or adding a new member.  It also contains a form to request membership.  The interface is written in HTML, CSS, PHP, and C.
Retrieved from "https://feministwiki.org/wiki/Special:MobileDiff/602...750"