Difference between revisions of "FeministWiki:Technical documentation"

From FeministWiki
Jump to navigation Jump to search
Line 122: Line 122:
Software: MediaWiki
Software: MediaWiki
(continue here)
The wiki uses a [https://www.mediawiki.org/wiki/MediaWiki MediaWiki] installation located at <code>/var/www/wiki/w</code> with the [https://www.mediawiki.org/wiki/Extension:LDAP_Authentication LDAP Authentication] plugin for login management and the "Short URL" feature enabled with help of Apache's vhost configuration, which is located at <code>/etc/apache2/sites-available/wiki.conf</code>.

Revision as of 12:47, 22 September 2018

This page documents the FeministWiki's technical infrastructure, the target audience being technicians.


The following table documents the DNS configuration, and can be used as part of the /etc/hosts file on each server to obviate the need for DNS lookups when connecting to one another.

IP FQDN Host Purpose feministwiki.org Wiki www.feministwiki.org www Wiki ldap.feministwiki.org ldap LDAP chat.feministwiki.org chat Web-client for XMPP forum.feministwiki.org forum BBS Forum mail.feministwiki.org mail Web-client for Mail files.feministwiki.org files File storage imap.feministwiki.org imap IMAP smtp.feministwiki.org smtp SMTP xmpp.feministwiki.org xmpp XMPP irc.feministwiki.org irc IRC social.feministwiki.org social GNU social add-member.feministwiki.org add-member Add a member

(As you can see, all services are on the same server for now.)

SSH access

FeministWiki hosts have ssh enabled for root access, but password login is disabled. You must own a valid private key to log in.

Git repo of scripts and configuration

The following GitHub account hosts repositories with scripts and configuration used by the FeministWiki:



The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.

To ease use of the letsencrypt command, the file /root/etc/domains contains all the FQDNs used by the FeministWiki, one per line. Given that, the preferred way to populate the /etc/letsencrypt/live/feministwiki.org directory with fresh certs is to run the following command while TCP port 80 is free (e.g. stop Apache first):

letsencrypt certonly --authenticator standalone -d "$(tr '\n' ',' < /root/etc/domains)"

Additionally, for programs that require a cert file and its private key in a single combined .pem file, run the following commands to generate such a file:

cd /etc/letsencrypt/live/feministwiki.org
cat fullchain.pem privkey.pem > certbundle.pem

The script /root/bin/letsencrypt-refresh does all of the above, so in practice you just need to run the following commands to recreate the cert:

service apache2 stop  # Assuming Apache is running on the machine
service apache2 start

The above can be used not only to refresh a cert that's running out, but also to add a new domain to the cert. Just add the domain to /root/etc/domains and run the commands.

Note that the letsencrypt command doesn't work well on a "dumb" terminal such as an Emacs shell buffer. Make sure to run it from within a proper terminal emulator.


This section documents the individual services of the FeministWiki. They should work regardless of what server they're on. I.e. every service could in theory be hosted on its own server.


Host: ldap.feministwiki.org
Software: OpenLDAP

The LDAP service contains the central database of FeministWiki members. The structure looks like this:

  • dc=feministwiki,dc=org
    • ou=members
      • cn=username
        objectClass: inetOrgPerson
        cn: username
        uid: username
        sn: -
        userPassword: {SSHA}saltedhash
        mail: username@feministwiki.org
      • cn=username2
        objectClass: inetOrgPerson
        cn: username2
        uid: username2
        sn: -
        userPassword: {SSHA}saltedhash2
        mail: username2@feministwiki.org
        manager: cn=username,ou=members,dc=feministwiki,dc=org
      • ...
    • ou=groups
      • cn=members
        objectClass: groupOfNames
        cn: members
        member: username
        member: username2
        member: ...


  • The cn (common name) and uid (user ID) fields both contain the username. This is because some software is preconfigured to look at uid, while most look at cn.
  • The sn (surname) field simply contains a minus character as a placeholder, because it's a mandatory field.
  • The manager field is optional and we use it to record the member who added the member in question.

To make sure passwords are stored with the {SSHA} scheme rather than plain text, the ppolicy "password policy overlay" is used. ZYTRAX has a very nice book about LDAP which documents how to enable this: http://www.zytrax.com/books/ldap/ch6/ppolicy.html

In short, the steps go as follows (these commands should work verbatim):

# Add the ppolicy schema
ldapadd -Y external -H ldapi:/// < /etc/ldap/schema/ppolicy.ldif

# Enable the ppolicy dynamic module
ldapmodify -Y external -H ldapi:/// <<EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy

# Add the ppolicy overlay with olcPPolicyHashCleartext set to TRUE
ldapadd -Y external -H ldapi:/// <<EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyHashCleartext: TRUE


Host: feministwiki.org, www.feministwiki.org
Software: MediaWiki

The wiki uses a MediaWiki installation located at /var/www/wiki/w with the LDAP Authentication plugin for login management and the "Short URL" feature enabled with help of Apache's vhost configuration, which is located at /etc/apache2/sites-available/wiki.conf.