FeministWiki:Technical documentation

This page documents the FeministWiki's technical infrastructure, the target audience being technicians.

Hosts

The following table documents the basic DNS configuration, and can be used as part of the /etc/hosts file on each server to obviate the need for DNS lookups when connecting to one another.

IP FQDN Host Purpose Ports
85.214.101.34 feministwiki.org Wiki 80, 443
85.214.101.34 www.feministwiki.org www Wiki 80, 443
85.214.101.34 ldap.feministwiki.org ldap LDAP -
85.214.101.34 blogs.feministwiki.org blogs Blogging 80, 443
85.214.101.34 chat.feministwiki.org chat Web-client for XMPP 80, 443
85.214.101.34 forum.feministwiki.org forum BBS Forum 80, 443
85.214.101.34 mail.feministwiki.org mail Web-client for Mail 80, 443
85.214.101.34 files.feministwiki.org files File storage 80, 443
85.214.101.34 imap.feministwiki.org imap IMAP 993
85.214.101.34 pop3.feministwiki.org pop3 POP3 995
85.214.101.34 smtp.feministwiki.org smtp SMTP 25, 465, 587
85.214.101.34 xmpp.feministwiki.org xmpp XMPP 5222, 5269, 5280
85.214.101.34 irc.feministwiki.org irc IRC 6697
85.214.101.34 add-member.feministwiki.org add-member Add a member 80, 443

As you can see, all services are on the same server for now. However, it should be kept as an open possibility that the hosts are split across different IPs. When done so, the ldap host should listen on 636 for LDAPS connections.

Firewall

The simple ufw firewall-frontend is used to trivially limit all network I/O to the ports you can see in the host table above, plus port 22 for ssh and scp.

Special DNS entries

For CAA:

Type Name Flag Tag Value
CAA @ 0 issue letsencrypt.org
CAA @ 0 iodef admin@feministwiki.org

For email:

Type Host Data Purpose
MX @ smtp.feministwiki.org Mail server
TXT @ v=spf1 mx -all SPF
TXT mail._domainkey v=DKIM1; k=rsa; p=<pubkey> DKIM
TXT _dmarc v=DMARC1; p=reject; rua=mailto:admin@feministwiki.org DMARC

For XMPP:

Type Service Protocol Name Destination Port
SRV _xmpp-client _tcp @ xmpp.feministwiki.org 5222
SRV _xmpp-server _tcp @ xmpp.feministwiki.org 5269

Google Site Verification:

Type Host Data
TXT @ google-site-verification=<key>

SSH access

FeministWiki hosts have ssh enabled for root access, but password login is disabled. You must own a valid private key to log in.

Git repo of scripts and configuration

The following GitHub account hosts repositories with scripts and configuration used by the FeministWiki:

https://github.com/FeministWiki

Certs

The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.

To ease use of the letsencrypt command, the file /root/etc/domains contains all the FQDNs used by the FeministWiki, one per line. Given that, the preferred way to populate the /etc/letsencrypt/live/feministwiki.org directory with fresh certs is to run the following commands while TCP port 80 is free (e.g. stop Apache first):

 # Use $() to eliminate the terminating newline, if any.
 domains=$(cat /root/etc/domains)
 
 domains=$(printf '%s' "$domains" | tr '\n' ',')
 
 letsencrypt certonly --authenticator standalone --keep --expand -d "$domains"

Additionally, for programs that require a cert file and its private key in a single combined .pem file, run the following commands to generate such a file:

cd /etc/letsencrypt/live/feministwiki.org
cat fullchain.pem privkey.pem > certbundle.pem

The script /root/bin/letsencrypt-refresh does all of the above, so in practice you just need to run the following commands to recreate the cert:

service apache2 stop  # Assuming Apache is running on the machine
letsencrypt-refresh
service apache2 start

The above can be used not only to refresh a cert that's running out, but also to add a new domain to the cert. Just add the domain to /root/etc/domains and run the commands.

Note that the letsencrypt command may not work well on a "dumb" terminal such as an Emacs shell buffer. If in doubt, run it from within a proper terminal emulator.

Readability of the key files

To ensure that processes running under unprivileged users can read key files, ensure that the users they run under are members of the ssl-cert group, which should have read access to the files in /etc/letsencrypt/live/feministwiki.org.

Services

This section documents the individual services of the FeministWiki. They should work regardless of what server they're on. I.e. every service could in theory be hosted on its own server.

LDAP

Host: ldap.feministwiki.org
Software: OpenLDAP

The LDAP service contains the central database of FeministWiki members. The structure looks like this:

  • dc=feministwiki,dc=org
    • ou=members
      • cn=username
        objectClass: inetOrgPerson
        cn: username
        uid: username
        sn: -
        userPassword: {SSHA}saltedhash
        mail: username@feministwiki.org
      • cn=username2
        objectClass: inetOrgPerson
        cn: username2
        uid: username2
        sn: -
        userPassword: {SSHA}saltedhash2
        mail: username2@feministwiki.org
        manager: cn=username,ou=members,dc=feministwiki,dc=org
      • ...
    • ou=groups
      • cn=members
        objectClass: groupOfNames
        cn: members
        member: username
        member: username2
        member: ...

Notes:

  • The cn (common name) and uid (user ID) fields both contain the username. This is because some software is preconfigured to look at uid, while most look at cn.
  • The sn (surname) field simply contains a minus character as a placeholder, because it's a mandatory field.
  • The manager field is optional and we use it to record the member who added the member in question.

To make sure passwords are stored with the {SSHA} scheme rather than plain text, the ppolicy "password policy overlay" is used. ZYTRAX has a very nice book about LDAP which documents how to enable this: http://www.zytrax.com/books/ldap/ch6/ppolicy.html

In short, the steps go as follows (these commands should work verbatim):

# Add the ppolicy schema
ldapadd -Y external -H ldapi:/// < /etc/ldap/schema/ppolicy.ldif

# Enable the ppolicy dynamic module
ldapmodify -Y external -H ldapi:/// <<EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
EOF

# Add the ppolicy overlay with olcPPolicyHashCleartext set to TRUE
ldapadd -Y external -H ldapi:/// <<EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyHashCleartext: TRUE
EOF

Wiki

Host: feministwiki.org, www.feministwiki.org
Software: MediaWiki

The wiki uses a MediaWiki installation located at /var/www/wiki/w. It uses the LDAP Stack for login management, and the "Short URL" feature enabled with help of Apache's vhost configuration.

The wiki uses the SQL database called "feministwiki" and the SQL user of the same name.

Blogs

Host: blogs.feministwiki.org
Software: WordPress (multisite)

This is an installation of WordPress in /var/www/blogs, with the "multisite network" feature enabled on a path-basis, so users can have their own blogs on URLs like blogs.feministwiki.org/janedoe. LDAP authentication is enabled via the AD/LDAP plugin from miniOrange.

Users from LDAP who log in for the first time are automatically registered as "Subscriber" accounts, and the admin can change their WordPress role "Author" to allow publishing.

This WordPress installation uses the SQL database called "blogs" and an SQL user of the same name.

Chat (web interface)

Host: chat.feministwiki.org
Software: Converse.js

The web-interface for the FeministChat uses the full-screen "Impress" variant of the Converse.js XMPP client. The hosted HTML and JS files are located at /var/www/chat, although they load Converse.js as an external script from upstream, which is why the self-hosted HTML and JS are very minimal.

Forum

Host: forum.feministwiki.org
Software: phpBB

The forum uses a phpBB installation located at /var/www/forum. Most configuration of phpBB, including LDAP authentication, is done through its administration panel. The style used by the forum is essentially Basic Orange, though the logo is changed via an inheriting style called FeministWiki.

The forum uses the SQL database called "feministforum" and the SQL user of the same name.

Mail (web interface)

Host: mail.feministwiki.org
Software: Roundcube

The web-interface for the FeministMail uses the Roundcube mail client, installed at /var/www/mail. It uses the standard "larry" style, but with some tweaks to logos and images.

Files

Host: files.feministwiki.org
Software: Nextcloud

FeministFiles is a Nextcloud installation with some branding, and LDAP authentication, installed at /var/www/files.

IMAP

Host: imap.feministwiki.org
Software: Dovecot

FeministMail uses the Dovecot IMAP server, configured for LDAP authentication and using virtual mail boxes under /home/vmail.

POP3

Host: pop3.feministwiki.org
Software: Dovecot

While Dovecot is primarily an IMAP server, it also offers POP3 support, which the FeministWiki installation has enabled.

SMTP

Host: smtp.feministwiki.org
Software: Postfix, OpenDKIM

FeministMail uses the Postfix SMTP server, using SASL authentication through Dovecot, LDAP-based virtual mail boxes under /home/vmail, and DKIM signing via OpenDKIM. Send a mail to a Gmail account and use the "Show original" feature of Gmail to see if the mail passes SPF, DKIM, and DMARC tests.

There are also various tools on the web to automatically test the DNS settings for correctness, to check if the domain/IP is on blacklists, etc., which you can find via Google. All in all, FeministMail is probably the most complicated service of the FeministWiki, as far as technical background goes.

XMPP

Host: xmpp.feministwiki.org
Software: ejabberd

FeministChat uses the ejabberd XMPP server, configured to use LDAP authentication and an LDAP-based shared roster group for all members.

IRC

Host: irc.feministwiki.org
Software: InspIRCd

FeministIRC uses the InspIRCd IRC server with the ldapauth module for LDAP authentication.

Add a member

Host: add-member.feministwiki.org
Software: custom

The page to add a new member, hosted at /var/www/add-member, uses a bit of self-written HTML, PHP, and a setuid-root C program to invoke the shell script located at /root/bin/fw-adduser with root privileges.