FeministWiki:Technical documentation: Difference between revisions

no edit summary
No edit summary
(23 intermediate revisions by 2 users not shown)
Line 6: Line 6:


{| class="wikitable"
{| class="wikitable"
!IP            !! FQDN                        !! Host          !! Purpose
!IP            !! FQDN                        !! Host          !! Purpose                 !! Ports
|-
|-
|85.214.101.34 ||            feministwiki.org ||              || Wiki
|85.214.101.34 ||            feministwiki.org ||              || Wiki                   || 80, 443
|-
|-
|85.214.101.34 ||        www.feministwiki.org || www          || Wiki
|85.214.101.34 ||        www.feministwiki.org || www          || Wiki                   || 80, 443
|-
|-
|85.214.101.34 ||      ldap.feministwiki.org || ldap          || LDAP
|85.214.101.34 ||      ldap.feministwiki.org || ldap          || LDAP                   || -
|-
|-
|85.214.101.34 ||       chat.feministwiki.org || chat          || Web-client for XMPP
|85.214.101.34 ||     blogs.feministwiki.org || blogs        || Blogging                || 80, 443
|-
|-
|85.214.101.34 ||     forum.feministwiki.org || forum        || BBS Forum
|85.214.101.34 ||       chat.feministwiki.org || chat          || Web-client for XMPP    || 80, 443
|-
|-
|85.214.101.34 ||       mail.feministwiki.org || mail          || Web-client for Mail
|85.214.101.34 ||     forum.feministwiki.org || forum        || BBS Forum              || 80, 443
|-
|-
|85.214.101.34 ||     files.feministwiki.org || files        || File storage
|85.214.101.34 ||       mail.feministwiki.org || mail          || Web-client for Mail    || 80, 443
|-
|-
|85.214.101.34 ||       imap.feministwiki.org || imap          || IMAP
|85.214.101.34 ||     files.feministwiki.org || files        || File storage            || 80, 443
|-
|-
|85.214.101.34 ||      smtp.feministwiki.org || smtp         || SMTP
|85.214.101.34 ||      imap.feministwiki.org || imap         || IMAP                    || 993
|-
|-
|85.214.101.34 ||      xmpp.feministwiki.org || xmpp         || XMPP
|85.214.101.34 ||      pop3.feministwiki.org || pop3         || POP3                    || 995
|-
|-
|85.214.101.34 ||       irc.feministwiki.org || irc          || IRC
|85.214.101.34 ||       smtp.feministwiki.org || smtp          || SMTP                    || 25, 465, 587
|-
|-
|85.214.101.34 ||     social.feministwiki.org || social        || GNU social
|85.214.101.34 ||       xmpp.feministwiki.org || xmpp          || XMPP                    || 5222, 5269, 5280
|-
|-
|85.214.101.34 || add-member.feministwiki.org || add-member    || Add a member
|85.214.101.34 ||        irc.feministwiki.org || irc          || IRC                    || 6697
|-
|85.214.101.34 || add-member.feministwiki.org || add-member    || Add a member           || 80, 443
|}
|}


(As you can see, all services are on the same server for now.)
As you can see, all services are on the same server for now. However, it should be kept as an open possibility that the hosts are split across different IPs.  When done so, the <code>ldap</code> host should listen on 636 for LDAPS connections.
 
== Firewall ==
 
The simple <code>ufw</code> firewall-frontend is used to trivially limit all network I/O to the ports you can see in the host table above, plus port 22 for ssh and scp.


== Special DNS entries ==
== Special DNS entries ==


The following entries are used for email:
For CAA:
 
{| class="wikitable"
!Type !! Name !! Flag !! Tag  !! Value         
|-
|CAA  || @    || 0    || issue || letsencrypt.org
|-
|CAA  || @    || 0    || iodef || admin@feministwiki.org
|}
 
For email:


{| class="wikitable"
{| class="wikitable"
Line 51: Line 67:
|-
|-
|TXT  || _dmarc          || v=DMARC1; p=reject; rua=<nowiki>mailto:admin</nowiki>@feministwiki.org || DMARC
|TXT  || _dmarc          || v=DMARC1; p=reject; rua=<nowiki>mailto:admin</nowiki>@feministwiki.org || DMARC
|}
For XMPP:
{| class="wikitable"
!Type !! Service      !! Protocol !! Name !! Destination          !! Port
|-
|-
|TXT || @               || google-site-verification=<key>                                        || Google Site Verification
|SRV || _xmpp-client || _tcp    || @   || xmpp.feministwiki.org || 5222
|-
|SRV  || _xmpp-server || _tcp    || @    || xmpp.feministwiki.org || 5269
|}
|}


And the following SRV records for XMPP:
Google Site Verification:


{| class="wikitable"
{| class="wikitable"
!Service      !! Protocol !! Name !! Destination          !! Port
!Type !! Host            !! Data
|-
|-
|_xmpp-client || _tcp    || @   || xmpp.feministwiki.org || 5222
|TXT  || @               || google-site-verification=<key>
|-
|_xmpp-server || _tcp    || @    || xmpp.feministwiki.org || 5269
|}
|}


Line 79: Line 101:
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.


To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line.  Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following command while TCP port 80 is free (e.g. stop Apache first):
To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line.  Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following commands while TCP port 80 is free (e.g. stop Apache first):


letsencrypt certonly --authenticator standalone -d "$(tr '\n' ',' < /root/etc/domains)"
  # Use $() to eliminate the terminating newline, if any.
  domains=$(cat /root/etc/domains)
 
  domains=$(printf '%s' "$domains" | tr '\n' ',')
 
  letsencrypt certonly --authenticator standalone --keep --expand -d "$domains"


Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file:
Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file:
Line 96: Line 123:
The above can be used not only to refresh a cert that's running out, but also to add a new domain to the cert.  Just add the domain to <code>/root/etc/domains</code> and run the commands.
The above can be used not only to refresh a cert that's running out, but also to add a new domain to the cert.  Just add the domain to <code>/root/etc/domains</code> and run the commands.


Note that the letsencrypt command doesn't work well on a "dumb" terminal such as an Emacs shell buffer.  Make sure to run it from within a proper terminal emulator.
Note that the letsencrypt command may not work well on a "dumb" terminal such as an Emacs shell buffer.  If in doubt, run it from within a proper terminal emulator.
 
=== Readability of the key files ===
 
To ensure that processes running under unprivileged users can read key files, ensure that the users they run under are members of the <code>ssl-cert</code> group, which should have read access to the files in <code>/etc/letsencrypt/live/feministwiki.org</code>.


== Services ==
== Services ==
Line 153: Line 184:


The wiki uses the SQL database called "feministwiki" and the SQL user of the same name.
The wiki uses the SQL database called "feministwiki" and the SQL user of the same name.
=== Blogs ===
Host: blogs.feministwiki.org <br/>
Software: WordPress (multisite)
This is an installation of WordPress in <code>/var/www/blogs</code>, with the "multisite network" feature enabled on a path-basis, so users can have their own blogs on URLs like <code>blogs.feministwiki.org/janedoe</code>.  LDAP authentication is enabled via the AD/LDAP plugin from miniOrange.
Users from LDAP who log in for the first time are automatically registered as "Subscriber" accounts, and the admin can change their WordPress role "Author" to allow publishing.
This WordPress installation uses the SQL database called "blogs" and an SQL user of the same name.


=== Chat (web interface) ===
=== Chat (web interface) ===
Line 190: Line 232:


FeministMail uses the [https://www.dovecot.org/ Dovecot] IMAP server, configured for LDAP authentication and using virtual mail boxes under <code>/home/vmail</code>.
FeministMail uses the [https://www.dovecot.org/ Dovecot] IMAP server, configured for LDAP authentication and using virtual mail boxes under <code>/home/vmail</code>.
=== POP3 ===
Host: pop3.feministwiki.org <br/>
Software: Dovecot
While Dovecot is primarily an IMAP server, it also offers POP3 support, which the FeministWiki installation has enabled.


=== SMTP ===
=== SMTP ===


Host: smtp.feministwiki.org <br/>
Host: smtp.feministwiki.org <br/>
Software: Postfix
Software: Postfix, OpenDKIM
 
FeministMail uses the [http://www.postfix.org/ Postfix] SMTP server, using SASL authentication through Dovecot, LDAP-based virtual mail boxes under <code>/home/vmail</code>, and DKIM signing via OpenDKIM.  Send a mail to a Gmail account and use the "Show original" feature of Gmail to see if the mail passes SPF, DKIM, and DMARC tests.


FeministMail uses the [http://www.postfix.org/ Postfix] SMTP server, using SASL authentication through Dovecot and LDAP-based virtual mail boxes under <code>/home/vmail</code>.
There are also various tools on the web to automatically test the DNS settings for correctness, to check if the domain/IP is on blacklists, etc., which you can find via Google. All in all, FeministMail is probably the most complicated service of the FeministWiki, as far as technical background goes.


=== XMPP ===
=== XMPP ===