https://wiki.fsci.in/api.php?action=feedcontributions&user=Pravs&feedformat=atomFSCI Wiki - User contributions [en]2024-03-28T22:23:08ZUser contributionsMediaWiki 1.37.2https://wiki.fsci.in/index.php?title=Poddery_-_Diaspora,_Matrix_and_XMPP&diff=11042Poddery - Diaspora, Matrix and XMPP2023-11-28T10:15:28Z<p>Pravs: /* Coordination */</p>
<hr />
<div>We run decentralized and federated [https://diasporafoundation.org/ Diaspora] social netowrk, [https://xmpp.org/ XMPP] and [https://matrix.org Matrix] instant messaging services at [https://poddery.com poddery.com]. Along with Diaspora, Poddery username and password can be used to access XMPP and Matrix services as well. [https://chat.poddery.com chat.poddery.com] provides Riot client (accessed by a web browser), which can be used to connect to any Matrix server without installing a Riot app/client.<br />
<br />
= Environment =<br />
== Hosting ==<br />
Poddery is hosted at [https://www.hetzner.com Hetzner] with the following specs:<br />
<br />
* Intel Xeon E3-1246V3 Process - 4 Cores, 3.5GHz<br />
* 4TB HDD<br />
* 32GB DDR3 RAM<br />
<br />
== Operating System ==<br />
* Debian Buster<br />
<br />
== User Visible Services ==<br />
=== Diaspora ===<br />
* Currently installed version is 0.7.6.1 which is available in [https://packages.debian.org/buster/diaspora-installer Debian Buster contrib]<br />
* For live statistics see https://poddery.com/statistics<br />
<br />
=== Chat/XMPP ===<br />
* [https://prosody.im/ Prosody] is used as the XMPP server which is modern and lightweight.<br />
* Currently installed version is 0.11.2 which is available in [https://packages.debian.org/buster/prosody Debian Buster].<br />
* All XEPs are enabled which the [https://conversations.im/ Conversations app] support.<br />
<br />
=== Chat/Matrix ===<br />
* [https://matrix.org/docs/projects/server/synapse.html Synapse] is used as the Matrix server.<br />
* Synapse is currently installed directly from the [https://github.com/matrix-org/synapse official GitHub repo].<br />
* Riot-web Matrix client is hosted at https://chat.poddery.com<br />
<br />
=== Homepage ===<br />
Homepage and other static pages are maintained in FSCI [https://git.fosscommunity.in GitLab instance]. <br />
* poddery.com -> https://git.fosscommunity.in/community/poddery.com<br />
* save.poddery.com -> https://git.fosscommunity.in/community/save.poddery.com<br />
* fund.poddery.com -> https://git.fosscommunity.in/community/fund-poddery<br />
<br />
== Backend Services ==<br />
=== Web Server / Reverse Proxy ===<br />
* Nginx web server which also acts as front-end (reverse proxy) for Diaspora and Matrix.<br />
<br />
=== Database ===<br />
* PostgreSQL for Matrix<br />
* MySQL for Diaspora<br />
<br />
''TODO'': Consider migrating to PostgreSQL to optimize resources (We can reduce one service and RAM usage).<br />
<br />
=== Email ===<br />
* Exim<br />
<br />
=== SSL/TLS certificates ===<br />
* Let's Encrypt<br />
<br />
=== Firewall ===<br />
* UFW (Uncomplicated Firewall)<br />
<br />
=== Intrusion Prevention ===<br />
* Fail2ban<br />
<br />
= Coordination =<br />
* [https://codema.in/g/2bjVXqAu/fosscommunity-in-poddery-com-maintainer-s-group Loomio group] - Mainly used for decision making<br />
* Matrix room - [https://matrix.to/#/#poddery:poddery.com #poddery:poddery.com] also bridged to xmpp [xmpp:poddery.com-support@chat.yax.im?join poddery.com-support@chat.yax.im]<br />
* [https://git.fosscommunity.in/community/poddery.com/issues Issue tracker] - Used for tracking progress of tasks<br />
<br />
=== Contact ===<br />
* Email: poddery at autistici.org (alias that reaches Akhilan, Abhijith Balan, Fayad, Balasankar, Julius, Praveen, Prasobh, Sruthi, Shirish, Vamsee and Manukrishnan)<br />
* The following people have their GPG keys in the [[#Server_Access|access file]]:<br />
** ID: 0xCE1F9C674512C22A - Praveen Arimbrathodiyil (piratepin)<br />
** ID: 0xB77D2E2E23735427 - Balasankar C<br />
** ID: 0x5D0064186AF037D9 - Manu Krishnan T V<br />
** ID: 0x51C954405D432381 - Fayad Fami (fayad)<br />
** ID: 0x863D4DF2ED9C28EF - Abhijith PA<br />
** ID: 0x6EF48CCD865A1FFC - Syam G Krishnan (sgk)<br />
** ID: 0xFD49D0BC6FEAECDA - Sagar Ippalpalli<br />
** ID: 0x92FDAB42A95FF20C - Pirate Bady (piratesin)<br />
** ID: 0x0B1955F40C691CCE - Kannan<br />
** ID: 0x32FF6C6F5B7AE248 - Akhil Varkey<br />
** ID: 0xFBB7061C27CB70C1 - Ranjith Siji<br />
** ID: 0xEAAFE4A8F39DE34F - Kiran S Kunjumon (hacksk)<br />
* It's recommended to setup [http://www.vim.org/scripts/script.php?script_id=3645 Vim GnuPG Plugin] for transparent editing. Those who are new to GPG can follow [https://www.madboa.com/geek/gpg-quickstart/ this guide].<br />
<br />
=== Server Access ===<br />
Maintained in a private git repo at https://git.fosscommunity.in/community/access<br />
<br />
= Configuration and Maintenance =<br />
<br />
Boot into rescue system using https://docs.hetzner.com/robot/dedicated-server/troubleshooting/hetzner-rescue-system<br />
<br />
== Disk Partitioning ==<br />
* RAID 1 setup on 2x2TB HDDs (<code>sda</code> and <code>sdb</code>).<br />
mdadm --verbose --create /dev/mdX --level=mirror --raid-devices=2 /dev/sdaY /dev/sdbY<br />
* Separate partitions for swap (<code>md0</code> - 16GB), boot (<code>md1</code> - 512MB) and root (<code>md2</code> - 50GB).<br />
* LVM on Luks for separate encrypted data partitions for database, static files and logs.<br />
# Setup LUKS (make sure <code>lvm2</code>, <code>udev</code> and <code>cryptsetup</code> packages are installed).<br />
cryptsetup luksFormat /dev/mdX<br />
# Give disk encryption password as specified in the [[#Server_Access|access repo]]<br />
cryptsetup luksOpen /dev/mdX poddery<br />
<br />
# LVM Setup<br />
# Create physical volume named <code>poddery</code><br />
pvcreate /dev/mapper/poddery<br />
# Create volume group named <code>data</code><br />
vgcreate data /dev/mapper/poddery<br />
# Create logical volumes named <code>log</code>, <code>db</code> and <code>static</code><br />
lvcreate -n log /dev/data -L 50G<br />
lvcreate -n db /dev/data -L 500G<br />
# Assign remaining free space for static files<br />
lvcreate -n static /dev/data -l 100%FREE <br />
<br />
# Setup filesystem on the logical volumes<br />
mkfs.ext4 /dev/data/log<br />
mkfs.ext4 /dev/data/db<br />
mkfs.ext4 /dev/data/static<br />
<br />
# Create directories for mounting the encrypted partitions<br />
mkdir /var/lib/db /var/lib/static /var/log/poddery<br />
<br />
# Manually mount encrypted partitions. This is needed on each reboot as Hetzner doesn't provide a web console so that we can't decrypt the partitions during booting.<br />
mount /dev/data/db /var/lib/db<br />
mount /dev/data/static /var/lib/static<br />
mount /dev/data/log /var/log/poddery<br />
<br />
== Hardening checklist ==<br />
* SSH password based login disabled (allow only key based logins)<br />
* SSH login disabled for root user (use a normal user with sudo)<br />
# Check for the following settings in /etc/ssh/sshd_config:<br />
...<br />
PermitRootLogin no<br />
...<br />
PasswordAuthentication no<br />
...<br />
<br />
* <code>ufw</code> firewall enabled with only the ports that needs to be opened ([https://fxdata.cloud/tutorials/set-up-a-firewall-with-ufw-on-ubuntu-16-04 ufw tutorial]):<br />
ufw default deny incoming<br />
ufw default allow outgoing<br />
ufw allow ssh<br />
ufw allow http/tcp<br />
ufw allow https/tcp<br />
ufw allow Turnserver<br />
ufw allow XMPP<br />
ufw allow 8448<br />
<br />
ufw enable<br />
<br />
# Verify everything is setup properly<br />
ufw status<br />
<br />
# Enable ufw logging with default mode low<br />
ufw logging on<br />
<br />
* <code>fail2ban</code> configured against brute force attacks:<br />
# Check for the following line <code>/etc/ssh/sshd_config</code><br />
...<br />
LogLevel VERBOSE<br />
...<br />
<br />
# Restart SSH and enable fail2ban<br />
systemctl restart ssh<br />
systemctl enable fail2ban<br />
systemctl start fail2ban<br />
<br />
# To unban an IP, first check <code>/var/log/fail2ban.log</code> to get the banned IP and then run the following<br />
# Here <code>sshd</code> is the defaut jail name, change it if you are using a different jail<br />
fail2ban-client set sshd unbanip <banned_ip><br />
<br />
== Diaspora ==<br />
* Install <code>diaspora-installer</code> from Debian Buster contrib:<br />
apt install diaspora-installer<br />
<br />
* Move MySQL data to encrypted partition:<br />
# Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code><br />
systemctl stop mysql<br />
systemctl disable mysql<br />
mv /var/lib/mysql /var/lib/db/<br />
ln -s /var/lib/db/mysql /var/lib/<br />
systemctl start mysql<br />
<br />
* Move static files to encrypted partition:<br />
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code><br />
mkdir /var/lib/static/diaspora<br />
mv /usr/share/diaspora/public/uploads /var/lib/static/diaspora<br />
ln -s /var/lib/static/diaspora/uploads /usr/share/diaspora/public/<br />
chown -R diaspora: /var/lib/static/diaspora<br />
<br />
* Modify configuration files at <code>/etc/diaspora</code> and <code>/etc/diaspora.conf</code> as needed (backup of the current configuration files are available in the [[#Server_Access|access repo]]).<br />
* Homepage configuration:<br />
# Make sure <code>git</code> and <code>acl</code> packages are installed<br />
# Grant <code>rwx</code> permissions for the ssh user to <code>/usr/share/diaspora/public</code><br />
setfacl -m "u:<ssh_user>:rwx" /usr/share/diaspora/public<br />
<br />
# Clone poddery.com repo<br />
cd /usr/share/diaspora/public<br />
git clone https://git.fosscommunity.in/community/poddery.com.git<br />
cd poddery.com && mv * .[^.]* .. #Give yes for all files when prompted<br />
cd .. && rmdir poddery.com<br />
<br />
* [https://save.poddery.com Save Poddery] repo is maintained as a sub module in poddery.com repo. See this [https://chrisjean.com/git-submodules-adding-using-removing-and-updating/ tutorial] for working with git submodules. <br />
# Clone save.poddery.com repo<br />
cd /usr/share/diaspora/public/save<br />
git submodule init<br />
git submodule update<br />
<br />
== Matrix ==<br />
* See the [https://github.com/matrix-org/synapse/blob/master/INSTALL.md official installation guide] of Synapse for installing from source.<br />
* Nginx is used as reverse proxy to send requests that has <code>/_matrix/*</code> in URL to Synapse on port <code>8008</code>. This is configured in <code>/etc/nginx/sites-enabled/diaspora</code>.<br />
* Shamil's [https://git.fosscommunity.in/necessary129/synapse-diaspora-auth Synapse Diaspora Auth] script is used to authenticate Synapse with Diaspora database.<br />
* Move PostgreSQL data to encrypted partition:<br />
# Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code><br />
systemctl stop postgresql<br />
systemctl disable postgresql<br />
mv /var/lib/postgres /var/lib/db/<br />
ln -s /var/lib/db/postgres /var/lib/<br />
systemctl start postgresql<br />
<br />
* Move static files to encrypted partition:<br />
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code><br />
mkdir /var/lib/static/synapse<br />
mv /var/lib/matrix-synapse/uploads /var/lib/static/synapse/<br />
ln -s /var/lib/static/synapse/uploads /var/lib/matrix-synapse/<br />
mv /var/lib/matrix-synapse/media /var/lib/static/synapse/<br />
ln -s /var/lib/static/synapse/media /var/lib/matrix-synapse/<br />
chown -R matrix-synapse: /var/lib/static/synapse<br />
<br />
* Install identity server <code>mxisd</code> (<code>deb</code> package available [https://github.com/kamax-matrix/mxisd/blob/master/docs/install/debian.md here])<br />
<br />
=== Workers ===<br />
* For scalability, Poddery is running [https://github.com/matrix-org/synapse/blob/master/docs/workers.md workers]. Currently all workers specified in that page, expect <code>synapse.app.appservice</code> is running on poddery.com<br />
* A new service [https://gist.github.com/necessary129/5dfbb140e4727496b0ad2bf801c10fdc <code>matrix-synapse@.service</code>] is installed for the workers (Save the <code>synape_worker</code> file somewhere like <code>/usr/local/bin/</code> or something).<br />
* The worker config can be found at <code>/etc/matrix-synapse/workers</code><br />
* Synapse needs to be put under a reverse proxy see <code>/etc/nginx/sites-enabled/matrix</code>. A lot of <code>/_matrix/</code> urls needs to be overridden too see <code>/etc/nginx/sites-enabled/diaspora</code><br />
* These lines must be added to <code>homeserver.yaml</code> as we are running <code>media_repository</code>, <code>federation_sender</code>, <code>pusher</code>, <code>user_dir</code> workers respectively:<br />
enable_media_repo: False<br />
send_federation: False<br />
start_pushers: False<br />
update_user_directory: false<br />
<br />
* These services must be enabled:<br />
<br />
matrix-synapse@synchrotron.service matrix-synapse@federation_reader.service matrix-synapse@event_creator.service matrix-synapse@federation_sender.service matrix-synapse@pusher.service matrix-synapse@user_dir.service matrix-synapse@media_repository.service matrix-synapse@frontend_proxy.service matrix-synapse@client_reader.service matrix-synapse@synchrotron_2.service<br />
<br />
To load balance between the 2 synchrotrons, We are running [https://github.com/Sorunome/matrix-synchrotron-balancer matrix-synchrotron-balancer]. It has a systemd file at <code>/etc/systemd/system/matrix-synchrotron-balancer</code>. The files are in <code>/opt/matrix-synchrotron-balancer</code><br />
<br />
=== Synapse Updation ===<br />
* First check [https://matrix-org.github.io/synapse/latest/upgrade synapse//latest/upgrade] to see if anything extra needs to be done. Then, just run <code>/root/upgrade-synapse</code><br />
* Current version of synapse can be found from https://poddery.com/_matrix/federation/v1/version<br />
<br />
=== Riot-web Updation === <br />
* Just run the following (make sure to replace <code><version></code> with a proper version number like <code>v1.0.0</code>):<br />
/var/www/get-riot <version><br />
<br />
== Chat/XMPP ==<br />
* Steps for setting up Prosody is given at https://wiki.debian.org/Diaspora/XMPP<br />
# Follow steps 1 to 6 from https://wiki.debian.org/Diaspora/XMPP and then run the following:<br />
mysql -u root -p # Enter password from the access repo<br />
<br />
CREATE USER 'prosody'@'localhost' IDENTIFIED BY '<passwd_in_repo>';<br />
GRANT ALL PRIVILEGES ON diaspora_production.* TO 'prosody'@'localhost';<br />
FLUSH PRIVILEGES;<br />
<br />
systemctl restart prosody<br />
<br />
* Install plugins<br />
# Make sure <code>mercurial</code> is installed<br />
cd /etc && hg clone https://hg.prosody.im/prosody-modules/ prosody-modules<br />
<br />
=== Set Nginx Conf for BOSH URLS ===<br />
* Add the following in <code>nginx</code> configuration file to enable the BOSH URL to make JSXC Working:<br />
upstream chat_cluster {<br />
server localhost:5280;<br />
}<br />
<br />
location /http-bind {<br />
proxy_set_header X-Real-IP $remote_addr;<br />
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br />
proxy_set_header Host $http_host;<br />
proxy_set_header X-Forwarded-Proto https;<br />
proxy_redirect off;<br />
proxy_connect_timeout 5;<br />
proxy_buffering off;<br />
proxy_read_timeout 70;<br />
keepalive_timeout 70;<br />
send_timeout 70;<br />
client_max_body_size 4M;<br />
client_body_buffer_size 128K;<br />
proxy_pass http://chat_cluster;<br />
}<br />
<br />
* [https://wiki.diasporafoundation.org/Integration/Chat#Nginx See here] for more details on <code>nginx</code> configuration. Alternatively, <code>apache</code> settings can be found [https://github.com/jsxc/jsxc/wiki/Prepare-apache here].<br />
<br />
== TLS ==<br />
* Install <code>letsencrypt</code>.<br />
* Ensure proper permissions are set for <code>/etc/letsencrypt</code> and its contents.<br />
chown -R root:ssl-cert /etc/letsencrypt<br />
chmod g+r -R /etc/letsencrypt<br />
chmod g+x /etc/letsencrypt/{archive,live}<br />
* Generate certificates. For more details see https://certbot.eff.org.<br />
* Make sure the certificates used by <code>diaspora</code> are symbolic links to letsencrypt default location:<br />
ls -l /etc/diaspora/ssl<br />
''total 0<br />
''lrwxrwxrwx 1 root root 47 Apr 2 22:47 poddery.com-bundle.pem -> /etc/letsencrypt/live/poddery.com/fullchain.pem''<br />
''lrwxrwxrwx 1 root root 45 Apr 2 22:48 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''<br />
<br />
# If you don't get the above output, then run the following:<br />
cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/diaspora/ssl/poddery.com-bundle.pem<br />
cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/diaspora/ssl/poddery.com.key<br />
<br />
* Make sure the certificates used by <code>prosody</code> are symbolic links to letsencrypt default location:<br />
ls -l /etc/prosody/certs/<br />
''total 0''<br />
''lrwxrwxrwx 1 root root 40 Mar 28 01:16 poddery.com.crt -> /etc/letsencrypt/live/poddery.com/fullchain.pem''<br />
''lrwxrwxrwx 1 root root 33 Mar 28 01:16 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''<br />
<br />
# If you don't get the above output, then run the following:<br />
cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/prosody/certs/poddery.com.crt<br />
cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/prosody/certs/poddery.com.key<br />
<br />
* Note- letsencrypt executable used below is actually a symlik to /usr/bin/certbot<br />
* Cron jobs:<br />
crontab -e<br />
''30 2 * * 1 letsencrypt renew >> /var/log/le-renew.log''<br />
''32 2 * * 1 /etc/init.d/nginx reload''<br />
''34 2 * * 1 /etc/init.d/prosody reload''<br />
<br />
* Manually updating TLS certificate:<br />
letsencrypt certonly --webroot --agree-tos -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save -d save.poddery.com -w /var/www/riot -d chat.poddery.com<br />
* To include an additional subdomain such as fund.poddery.com use with --expand parameter as shown below<br />
letsencrypt certonly --webroot --agree-tos --expand -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save/ -d save.poddery.com -w /var/www/riot/ -d chat.poddery.com<br />
<br />
==Backup==<br />
<br />
Backup server is provided by Manu (KVM virtual machine with 180 GB storage and 1 GB ram ). <br />
<br />
Debian Stetch was upgraded Debian Buster before database relication of synapse database. <br />
<br />
Documentation: https://www.percona.com/blog/2018/09/07/setting-up-streaming-replication-postgresql/<br />
<br />
Currently postgres database for matrix-synapse is backed up.<br />
<br />
===Before Replication (specific to poddery.com)===<br />
<br />
Setup tinc vpn in the backup server<br />
<br />
# apt install tinc<br />
<br />
Configure tinc by creating tinc.conf and host podderybackup under label fsci.<br />
Add tinc-up and tinc-down scripts<br />
Copy poddery host config to backup server and podderybackup host config to poddery.com server.<br />
<br />
Reload tinc vpn service at both poddery.com and backup servers<br />
<br />
# systemctl reload tinc@fsci.service<br />
<br />
Enable tinc@fsci systemd service for autostart<br />
<br />
# systemctl enable tinc@fsci.service<br />
<br />
The synapse database was also pruned to reduce the size before replication by following this guide - https://levans.fr/shrink-synapse-database.html<br />
If you want to follow this guide, make sure matrix synapse server is updated to version 1.13 atleast since it introduces the Rooms API mentioned the guide.<br />
Changes done to steps in the guide.<br />
<br />
# jq '.rooms[] | select(.joined_local_members == 0) | .room_id' < roomlist.json | sed -e 's/"//g' > to_purge.txt<br />
<br />
The room list obtained this way can, be looped to pass the room names as variables to the purge api. <br />
<br />
# set +H // if you are using bash to avoid '!' in the roomname triggering the history substitution.<br />
# for room_id in $(cat to_purge.txt); do curl --header "Authorization: Bearer <your access token>" \<br />
-X POST -H "Content-Type: application/json" -d "{ \"room_id\": \"$room_id\" }" \<br />
'https://127.0.0.1:8008/_synapse/admin/v1/purge_room'; done;<br />
<br />
We also did not remove old history of large rooms.<br />
<br />
===Step 1: Postgresql (for synapse) Primary configuration===<br />
<br />
Create postgresql user for replication.<br />
<br />
$ psql -c "CREATE USER replication REPLICATION LOGIN CONNECTION LIMIT 1 ENCRYPTED PASSWORD 'yourpassword';"<br />
The password is in the access repo if you need it later.<br />
<br />
Allow standby to connect to primary using the user just created.<br />
<br />
$ cd /etc/postgresql/11/main<br />
<br />
$ nano pg_hba.conf<br />
<br />
Add below line to allow replication user to get access to the server<br />
<br />
host replication replication 172.16.0.3/32 md5<br />
<br />
Next , open the postgres configuration file<br />
<br />
nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,172.16.0.2'<br />
port=5432<br />
wal_level = replica<br />
max_wal_senders = 1<br />
wal_keep_segments = 64<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
<br />
You need to restart since postgresql.conf was edited and parameters changed,<br />
<br />
# systemctl restart postgresql<br />
<br />
===Step 2: Postgresql (for synapse) Standby configuration ===<br />
<br />
Install postgresql <br />
<br />
# apt install postgresql<br />
<br />
Check postgresql server is running<br />
<br />
# su postgres -c psql<br />
<br />
Make sure en_US.UTF-8 locale is available<br />
<br />
# dpkg-reconfigure locales<br />
<br />
Stop postgresql before changing any configuration<br />
<br />
#systemctl stop postgresql@11-main<br />
<br />
Switch to postgres user<br />
<br />
# su - postgres<br />
$ cd /etc/postgresql/11/<br />
<br />
Copy data from master and create recovery.conf<br />
<br />
$ pg_basebackup -h git.fosscommunity.in -D /var/lib/postgresql/11/main/ -P -U rep --wal-method=fetch -R<br />
<br />
Open the postgres configuration file<br />
<br />
$ nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
max_connections = 500 // This option and the one below are set to be same as in postgresql.conf at primary or the service won't start.<br />
max_worker_processes = 16<br />
host_standby = on // The above pg_basebackup command should set it. If it's not manually turn it to on.<br />
<br />
Start the stopped postgresql service<br />
<br />
# systemctl start postgresql@11-main<br />
<br />
===Postgresql (for synapse) Replication Status===<br />
<br />
On Primary,<br />
<br />
$ ps -ef | grep sender<br />
$ psql -c "select * from pg_stat_activity where usename='rep';"<br />
<br />
On Standby,<br />
<br />
$ ps -ef | grep receiver<br />
<br />
= Troubleshooting =<br />
== Allow XMPP login even if diaspora account is closed ==<br />
Diaspora has a [https://github.com/diaspora/diaspora/blob/develop/Changelog.md#new-maintenance-feature-to-automatically-expire-inactive-accounts default setting] to close accounts that have been inactive for 2 years. At the time of writing, there seems [https://github.com/diaspora/diaspora/issues/5358#issuecomment-371921462 no way] to reopen a closed account. This also means that if your account is closed, you will no longer be able to login to the associated XMPP service as well. Here we discuss a workaround to get access back to the XMPP account.<br />
<br />
The prosody module [https://gist.github.com/jhass/948e8e8d87b9143f97ad#file-mod_auth_diaspora-lua mod_auth_diaspora] is used for diaspora-based XMPP auth. It checks if <code>locked_at</code> value in the <code>users</code> table of diaspora db is <code>null</code> [https://gist.github.com/jhass/948e8e8d87b9143f97ad#file-mod_auth_diaspora-lua-L89 here] and [https://gist.github.com/jhass/948e8e8d87b9143f97ad#file-mod_auth_diaspora-lua-L98 here]. If your account is locked, it will have the <code>datetime</code> value that represents the date and time at which your account is locked. Setting it back to <code>null</code> will let you use your XMPP account again.<br />
<br />
-- Replace <username> with actual username of the locked account<br />
UPDATE users SET locked_at=NULL WHERE username='<username>';<br />
<br />
NOTE: Matrix account won't be affected even if the associated diaspora account is closed because it uses a [https://pypi.org/project/synapse-diaspora-auth/ custom auth module] which works differently.<br />
<br />
= History =<br />
* [[Poddery/Archive|See here]] for the archive of Poddery wiki page before the migration to Hetzner.<br />
<br />
[[Category:Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=Poddery_-_Diaspora,_Matrix_and_XMPP&diff=11041Poddery - Diaspora, Matrix and XMPP2023-11-28T10:14:13Z<p>Pravs: /* Coordination */</p>
<hr />
<div>We run decentralized and federated [https://diasporafoundation.org/ Diaspora] social netowrk, [https://xmpp.org/ XMPP] and [https://matrix.org Matrix] instant messaging services at [https://poddery.com poddery.com]. Along with Diaspora, Poddery username and password can be used to access XMPP and Matrix services as well. [https://chat.poddery.com chat.poddery.com] provides Riot client (accessed by a web browser), which can be used to connect to any Matrix server without installing a Riot app/client.<br />
<br />
= Environment =<br />
== Hosting ==<br />
Poddery is hosted at [https://www.hetzner.com Hetzner] with the following specs:<br />
<br />
* Intel Xeon E3-1246V3 Process - 4 Cores, 3.5GHz<br />
* 4TB HDD<br />
* 32GB DDR3 RAM<br />
<br />
== Operating System ==<br />
* Debian Buster<br />
<br />
== User Visible Services ==<br />
=== Diaspora ===<br />
* Currently installed version is 0.7.6.1 which is available in [https://packages.debian.org/buster/diaspora-installer Debian Buster contrib]<br />
* For live statistics see https://poddery.com/statistics<br />
<br />
=== Chat/XMPP ===<br />
* [https://prosody.im/ Prosody] is used as the XMPP server which is modern and lightweight.<br />
* Currently installed version is 0.11.2 which is available in [https://packages.debian.org/buster/prosody Debian Buster].<br />
* All XEPs are enabled which the [https://conversations.im/ Conversations app] support.<br />
<br />
=== Chat/Matrix ===<br />
* [https://matrix.org/docs/projects/server/synapse.html Synapse] is used as the Matrix server.<br />
* Synapse is currently installed directly from the [https://github.com/matrix-org/synapse official GitHub repo].<br />
* Riot-web Matrix client is hosted at https://chat.poddery.com<br />
<br />
=== Homepage ===<br />
Homepage and other static pages are maintained in FSCI [https://git.fosscommunity.in GitLab instance]. <br />
* poddery.com -> https://git.fosscommunity.in/community/poddery.com<br />
* save.poddery.com -> https://git.fosscommunity.in/community/save.poddery.com<br />
* fund.poddery.com -> https://git.fosscommunity.in/community/fund-poddery<br />
<br />
== Backend Services ==<br />
=== Web Server / Reverse Proxy ===<br />
* Nginx web server which also acts as front-end (reverse proxy) for Diaspora and Matrix.<br />
<br />
=== Database ===<br />
* PostgreSQL for Matrix<br />
* MySQL for Diaspora<br />
<br />
''TODO'': Consider migrating to PostgreSQL to optimize resources (We can reduce one service and RAM usage).<br />
<br />
=== Email ===<br />
* Exim<br />
<br />
=== SSL/TLS certificates ===<br />
* Let's Encrypt<br />
<br />
=== Firewall ===<br />
* UFW (Uncomplicated Firewall)<br />
<br />
=== Intrusion Prevention ===<br />
* Fail2ban<br />
<br />
= Coordination =<br />
* [https://codema.in/g/2bjVXqAu/fosscommunity-in-poddery-com-maintainer-s-group Loomio group] - Mainly used for decision making<br />
* Matrix room - [https://matrix.to/#/#poddery:poddery.com #poddery:poddery.com] also bridged to xmpp [[xmpp:poddery.com-support@chat.yax.im?join|poddery.com-support@chat.yax.im]]<br />
* [https://git.fosscommunity.in/community/poddery.com/issues Issue tracker] - Used for tracking progress of tasks<br />
<br />
=== Contact ===<br />
* Email: poddery at autistici.org (alias that reaches Akhilan, Abhijith Balan, Fayad, Balasankar, Julius, Praveen, Prasobh, Sruthi, Shirish, Vamsee and Manukrishnan)<br />
* The following people have their GPG keys in the [[#Server_Access|access file]]:<br />
** ID: 0xCE1F9C674512C22A - Praveen Arimbrathodiyil (piratepin)<br />
** ID: 0xB77D2E2E23735427 - Balasankar C<br />
** ID: 0x5D0064186AF037D9 - Manu Krishnan T V<br />
** ID: 0x51C954405D432381 - Fayad Fami (fayad)<br />
** ID: 0x863D4DF2ED9C28EF - Abhijith PA<br />
** ID: 0x6EF48CCD865A1FFC - Syam G Krishnan (sgk)<br />
** ID: 0xFD49D0BC6FEAECDA - Sagar Ippalpalli<br />
** ID: 0x92FDAB42A95FF20C - Pirate Bady (piratesin)<br />
** ID: 0x0B1955F40C691CCE - Kannan<br />
** ID: 0x32FF6C6F5B7AE248 - Akhil Varkey<br />
** ID: 0xFBB7061C27CB70C1 - Ranjith Siji<br />
** ID: 0xEAAFE4A8F39DE34F - Kiran S Kunjumon (hacksk)<br />
* It's recommended to setup [http://www.vim.org/scripts/script.php?script_id=3645 Vim GnuPG Plugin] for transparent editing. Those who are new to GPG can follow [https://www.madboa.com/geek/gpg-quickstart/ this guide].<br />
<br />
=== Server Access ===<br />
Maintained in a private git repo at https://git.fosscommunity.in/community/access<br />
<br />
= Configuration and Maintenance =<br />
<br />
Boot into rescue system using https://docs.hetzner.com/robot/dedicated-server/troubleshooting/hetzner-rescue-system<br />
<br />
== Disk Partitioning ==<br />
* RAID 1 setup on 2x2TB HDDs (<code>sda</code> and <code>sdb</code>).<br />
mdadm --verbose --create /dev/mdX --level=mirror --raid-devices=2 /dev/sdaY /dev/sdbY<br />
* Separate partitions for swap (<code>md0</code> - 16GB), boot (<code>md1</code> - 512MB) and root (<code>md2</code> - 50GB).<br />
* LVM on Luks for separate encrypted data partitions for database, static files and logs.<br />
# Setup LUKS (make sure <code>lvm2</code>, <code>udev</code> and <code>cryptsetup</code> packages are installed).<br />
cryptsetup luksFormat /dev/mdX<br />
# Give disk encryption password as specified in the [[#Server_Access|access repo]]<br />
cryptsetup luksOpen /dev/mdX poddery<br />
<br />
# LVM Setup<br />
# Create physical volume named <code>poddery</code><br />
pvcreate /dev/mapper/poddery<br />
# Create volume group named <code>data</code><br />
vgcreate data /dev/mapper/poddery<br />
# Create logical volumes named <code>log</code>, <code>db</code> and <code>static</code><br />
lvcreate -n log /dev/data -L 50G<br />
lvcreate -n db /dev/data -L 500G<br />
# Assign remaining free space for static files<br />
lvcreate -n static /dev/data -l 100%FREE <br />
<br />
# Setup filesystem on the logical volumes<br />
mkfs.ext4 /dev/data/log<br />
mkfs.ext4 /dev/data/db<br />
mkfs.ext4 /dev/data/static<br />
<br />
# Create directories for mounting the encrypted partitions<br />
mkdir /var/lib/db /var/lib/static /var/log/poddery<br />
<br />
# Manually mount encrypted partitions. This is needed on each reboot as Hetzner doesn't provide a web console so that we can't decrypt the partitions during booting.<br />
mount /dev/data/db /var/lib/db<br />
mount /dev/data/static /var/lib/static<br />
mount /dev/data/log /var/log/poddery<br />
<br />
== Hardening checklist ==<br />
* SSH password based login disabled (allow only key based logins)<br />
* SSH login disabled for root user (use a normal user with sudo)<br />
# Check for the following settings in /etc/ssh/sshd_config:<br />
...<br />
PermitRootLogin no<br />
...<br />
PasswordAuthentication no<br />
...<br />
<br />
* <code>ufw</code> firewall enabled with only the ports that needs to be opened ([https://fxdata.cloud/tutorials/set-up-a-firewall-with-ufw-on-ubuntu-16-04 ufw tutorial]):<br />
ufw default deny incoming<br />
ufw default allow outgoing<br />
ufw allow ssh<br />
ufw allow http/tcp<br />
ufw allow https/tcp<br />
ufw allow Turnserver<br />
ufw allow XMPP<br />
ufw allow 8448<br />
<br />
ufw enable<br />
<br />
# Verify everything is setup properly<br />
ufw status<br />
<br />
# Enable ufw logging with default mode low<br />
ufw logging on<br />
<br />
* <code>fail2ban</code> configured against brute force attacks:<br />
# Check for the following line <code>/etc/ssh/sshd_config</code><br />
...<br />
LogLevel VERBOSE<br />
...<br />
<br />
# Restart SSH and enable fail2ban<br />
systemctl restart ssh<br />
systemctl enable fail2ban<br />
systemctl start fail2ban<br />
<br />
# To unban an IP, first check <code>/var/log/fail2ban.log</code> to get the banned IP and then run the following<br />
# Here <code>sshd</code> is the defaut jail name, change it if you are using a different jail<br />
fail2ban-client set sshd unbanip <banned_ip><br />
<br />
== Diaspora ==<br />
* Install <code>diaspora-installer</code> from Debian Buster contrib:<br />
apt install diaspora-installer<br />
<br />
* Move MySQL data to encrypted partition:<br />
# Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code><br />
systemctl stop mysql<br />
systemctl disable mysql<br />
mv /var/lib/mysql /var/lib/db/<br />
ln -s /var/lib/db/mysql /var/lib/<br />
systemctl start mysql<br />
<br />
* Move static files to encrypted partition:<br />
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code><br />
mkdir /var/lib/static/diaspora<br />
mv /usr/share/diaspora/public/uploads /var/lib/static/diaspora<br />
ln -s /var/lib/static/diaspora/uploads /usr/share/diaspora/public/<br />
chown -R diaspora: /var/lib/static/diaspora<br />
<br />
* Modify configuration files at <code>/etc/diaspora</code> and <code>/etc/diaspora.conf</code> as needed (backup of the current configuration files are available in the [[#Server_Access|access repo]]).<br />
* Homepage configuration:<br />
# Make sure <code>git</code> and <code>acl</code> packages are installed<br />
# Grant <code>rwx</code> permissions for the ssh user to <code>/usr/share/diaspora/public</code><br />
setfacl -m "u:<ssh_user>:rwx" /usr/share/diaspora/public<br />
<br />
# Clone poddery.com repo<br />
cd /usr/share/diaspora/public<br />
git clone https://git.fosscommunity.in/community/poddery.com.git<br />
cd poddery.com && mv * .[^.]* .. #Give yes for all files when prompted<br />
cd .. && rmdir poddery.com<br />
<br />
* [https://save.poddery.com Save Poddery] repo is maintained as a sub module in poddery.com repo. See this [https://chrisjean.com/git-submodules-adding-using-removing-and-updating/ tutorial] for working with git submodules. <br />
# Clone save.poddery.com repo<br />
cd /usr/share/diaspora/public/save<br />
git submodule init<br />
git submodule update<br />
<br />
== Matrix ==<br />
* See the [https://github.com/matrix-org/synapse/blob/master/INSTALL.md official installation guide] of Synapse for installing from source.<br />
* Nginx is used as reverse proxy to send requests that has <code>/_matrix/*</code> in URL to Synapse on port <code>8008</code>. This is configured in <code>/etc/nginx/sites-enabled/diaspora</code>.<br />
* Shamil's [https://git.fosscommunity.in/necessary129/synapse-diaspora-auth Synapse Diaspora Auth] script is used to authenticate Synapse with Diaspora database.<br />
* Move PostgreSQL data to encrypted partition:<br />
# Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code><br />
systemctl stop postgresql<br />
systemctl disable postgresql<br />
mv /var/lib/postgres /var/lib/db/<br />
ln -s /var/lib/db/postgres /var/lib/<br />
systemctl start postgresql<br />
<br />
* Move static files to encrypted partition:<br />
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code><br />
mkdir /var/lib/static/synapse<br />
mv /var/lib/matrix-synapse/uploads /var/lib/static/synapse/<br />
ln -s /var/lib/static/synapse/uploads /var/lib/matrix-synapse/<br />
mv /var/lib/matrix-synapse/media /var/lib/static/synapse/<br />
ln -s /var/lib/static/synapse/media /var/lib/matrix-synapse/<br />
chown -R matrix-synapse: /var/lib/static/synapse<br />
<br />
* Install identity server <code>mxisd</code> (<code>deb</code> package available [https://github.com/kamax-matrix/mxisd/blob/master/docs/install/debian.md here])<br />
<br />
=== Workers ===<br />
* For scalability, Poddery is running [https://github.com/matrix-org/synapse/blob/master/docs/workers.md workers]. Currently all workers specified in that page, expect <code>synapse.app.appservice</code> is running on poddery.com<br />
* A new service [https://gist.github.com/necessary129/5dfbb140e4727496b0ad2bf801c10fdc <code>matrix-synapse@.service</code>] is installed for the workers (Save the <code>synape_worker</code> file somewhere like <code>/usr/local/bin/</code> or something).<br />
* The worker config can be found at <code>/etc/matrix-synapse/workers</code><br />
* Synapse needs to be put under a reverse proxy see <code>/etc/nginx/sites-enabled/matrix</code>. A lot of <code>/_matrix/</code> urls needs to be overridden too see <code>/etc/nginx/sites-enabled/diaspora</code><br />
* These lines must be added to <code>homeserver.yaml</code> as we are running <code>media_repository</code>, <code>federation_sender</code>, <code>pusher</code>, <code>user_dir</code> workers respectively:<br />
enable_media_repo: False<br />
send_federation: False<br />
start_pushers: False<br />
update_user_directory: false<br />
<br />
* These services must be enabled:<br />
<br />
matrix-synapse@synchrotron.service matrix-synapse@federation_reader.service matrix-synapse@event_creator.service matrix-synapse@federation_sender.service matrix-synapse@pusher.service matrix-synapse@user_dir.service matrix-synapse@media_repository.service matrix-synapse@frontend_proxy.service matrix-synapse@client_reader.service matrix-synapse@synchrotron_2.service<br />
<br />
To load balance between the 2 synchrotrons, We are running [https://github.com/Sorunome/matrix-synchrotron-balancer matrix-synchrotron-balancer]. It has a systemd file at <code>/etc/systemd/system/matrix-synchrotron-balancer</code>. The files are in <code>/opt/matrix-synchrotron-balancer</code><br />
<br />
=== Synapse Updation ===<br />
* First check [https://matrix-org.github.io/synapse/latest/upgrade synapse//latest/upgrade] to see if anything extra needs to be done. Then, just run <code>/root/upgrade-synapse</code><br />
* Current version of synapse can be found from https://poddery.com/_matrix/federation/v1/version<br />
<br />
=== Riot-web Updation === <br />
* Just run the following (make sure to replace <code><version></code> with a proper version number like <code>v1.0.0</code>):<br />
/var/www/get-riot <version><br />
<br />
== Chat/XMPP ==<br />
* Steps for setting up Prosody is given at https://wiki.debian.org/Diaspora/XMPP<br />
# Follow steps 1 to 6 from https://wiki.debian.org/Diaspora/XMPP and then run the following:<br />
mysql -u root -p # Enter password from the access repo<br />
<br />
CREATE USER 'prosody'@'localhost' IDENTIFIED BY '<passwd_in_repo>';<br />
GRANT ALL PRIVILEGES ON diaspora_production.* TO 'prosody'@'localhost';<br />
FLUSH PRIVILEGES;<br />
<br />
systemctl restart prosody<br />
<br />
* Install plugins<br />
# Make sure <code>mercurial</code> is installed<br />
cd /etc && hg clone https://hg.prosody.im/prosody-modules/ prosody-modules<br />
<br />
=== Set Nginx Conf for BOSH URLS ===<br />
* Add the following in <code>nginx</code> configuration file to enable the BOSH URL to make JSXC Working:<br />
upstream chat_cluster {<br />
server localhost:5280;<br />
}<br />
<br />
location /http-bind {<br />
proxy_set_header X-Real-IP $remote_addr;<br />
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br />
proxy_set_header Host $http_host;<br />
proxy_set_header X-Forwarded-Proto https;<br />
proxy_redirect off;<br />
proxy_connect_timeout 5;<br />
proxy_buffering off;<br />
proxy_read_timeout 70;<br />
keepalive_timeout 70;<br />
send_timeout 70;<br />
client_max_body_size 4M;<br />
client_body_buffer_size 128K;<br />
proxy_pass http://chat_cluster;<br />
}<br />
<br />
* [https://wiki.diasporafoundation.org/Integration/Chat#Nginx See here] for more details on <code>nginx</code> configuration. Alternatively, <code>apache</code> settings can be found [https://github.com/jsxc/jsxc/wiki/Prepare-apache here].<br />
<br />
== TLS ==<br />
* Install <code>letsencrypt</code>.<br />
* Ensure proper permissions are set for <code>/etc/letsencrypt</code> and its contents.<br />
chown -R root:ssl-cert /etc/letsencrypt<br />
chmod g+r -R /etc/letsencrypt<br />
chmod g+x /etc/letsencrypt/{archive,live}<br />
* Generate certificates. For more details see https://certbot.eff.org.<br />
* Make sure the certificates used by <code>diaspora</code> are symbolic links to letsencrypt default location:<br />
ls -l /etc/diaspora/ssl<br />
''total 0<br />
''lrwxrwxrwx 1 root root 47 Apr 2 22:47 poddery.com-bundle.pem -> /etc/letsencrypt/live/poddery.com/fullchain.pem''<br />
''lrwxrwxrwx 1 root root 45 Apr 2 22:48 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''<br />
<br />
# If you don't get the above output, then run the following:<br />
cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/diaspora/ssl/poddery.com-bundle.pem<br />
cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/diaspora/ssl/poddery.com.key<br />
<br />
* Make sure the certificates used by <code>prosody</code> are symbolic links to letsencrypt default location:<br />
ls -l /etc/prosody/certs/<br />
''total 0''<br />
''lrwxrwxrwx 1 root root 40 Mar 28 01:16 poddery.com.crt -> /etc/letsencrypt/live/poddery.com/fullchain.pem''<br />
''lrwxrwxrwx 1 root root 33 Mar 28 01:16 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''<br />
<br />
# If you don't get the above output, then run the following:<br />
cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/prosody/certs/poddery.com.crt<br />
cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/prosody/certs/poddery.com.key<br />
<br />
* Note- letsencrypt executable used below is actually a symlik to /usr/bin/certbot<br />
* Cron jobs:<br />
crontab -e<br />
''30 2 * * 1 letsencrypt renew >> /var/log/le-renew.log''<br />
''32 2 * * 1 /etc/init.d/nginx reload''<br />
''34 2 * * 1 /etc/init.d/prosody reload''<br />
<br />
* Manually updating TLS certificate:<br />
letsencrypt certonly --webroot --agree-tos -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save -d save.poddery.com -w /var/www/riot -d chat.poddery.com<br />
* To include an additional subdomain such as fund.poddery.com use with --expand parameter as shown below<br />
letsencrypt certonly --webroot --agree-tos --expand -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save/ -d save.poddery.com -w /var/www/riot/ -d chat.poddery.com<br />
<br />
==Backup==<br />
<br />
Backup server is provided by Manu (KVM virtual machine with 180 GB storage and 1 GB ram ). <br />
<br />
Debian Stetch was upgraded Debian Buster before database relication of synapse database. <br />
<br />
Documentation: https://www.percona.com/blog/2018/09/07/setting-up-streaming-replication-postgresql/<br />
<br />
Currently postgres database for matrix-synapse is backed up.<br />
<br />
===Before Replication (specific to poddery.com)===<br />
<br />
Setup tinc vpn in the backup server<br />
<br />
# apt install tinc<br />
<br />
Configure tinc by creating tinc.conf and host podderybackup under label fsci.<br />
Add tinc-up and tinc-down scripts<br />
Copy poddery host config to backup server and podderybackup host config to poddery.com server.<br />
<br />
Reload tinc vpn service at both poddery.com and backup servers<br />
<br />
# systemctl reload tinc@fsci.service<br />
<br />
Enable tinc@fsci systemd service for autostart<br />
<br />
# systemctl enable tinc@fsci.service<br />
<br />
The synapse database was also pruned to reduce the size before replication by following this guide - https://levans.fr/shrink-synapse-database.html<br />
If you want to follow this guide, make sure matrix synapse server is updated to version 1.13 atleast since it introduces the Rooms API mentioned the guide.<br />
Changes done to steps in the guide.<br />
<br />
# jq '.rooms[] | select(.joined_local_members == 0) | .room_id' < roomlist.json | sed -e 's/"//g' > to_purge.txt<br />
<br />
The room list obtained this way can, be looped to pass the room names as variables to the purge api. <br />
<br />
# set +H // if you are using bash to avoid '!' in the roomname triggering the history substitution.<br />
# for room_id in $(cat to_purge.txt); do curl --header "Authorization: Bearer <your access token>" \<br />
-X POST -H "Content-Type: application/json" -d "{ \"room_id\": \"$room_id\" }" \<br />
'https://127.0.0.1:8008/_synapse/admin/v1/purge_room'; done;<br />
<br />
We also did not remove old history of large rooms.<br />
<br />
===Step 1: Postgresql (for synapse) Primary configuration===<br />
<br />
Create postgresql user for replication.<br />
<br />
$ psql -c "CREATE USER replication REPLICATION LOGIN CONNECTION LIMIT 1 ENCRYPTED PASSWORD 'yourpassword';"<br />
The password is in the access repo if you need it later.<br />
<br />
Allow standby to connect to primary using the user just created.<br />
<br />
$ cd /etc/postgresql/11/main<br />
<br />
$ nano pg_hba.conf<br />
<br />
Add below line to allow replication user to get access to the server<br />
<br />
host replication replication 172.16.0.3/32 md5<br />
<br />
Next , open the postgres configuration file<br />
<br />
nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,172.16.0.2'<br />
port=5432<br />
wal_level = replica<br />
max_wal_senders = 1<br />
wal_keep_segments = 64<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
<br />
You need to restart since postgresql.conf was edited and parameters changed,<br />
<br />
# systemctl restart postgresql<br />
<br />
===Step 2: Postgresql (for synapse) Standby configuration ===<br />
<br />
Install postgresql <br />
<br />
# apt install postgresql<br />
<br />
Check postgresql server is running<br />
<br />
# su postgres -c psql<br />
<br />
Make sure en_US.UTF-8 locale is available<br />
<br />
# dpkg-reconfigure locales<br />
<br />
Stop postgresql before changing any configuration<br />
<br />
#systemctl stop postgresql@11-main<br />
<br />
Switch to postgres user<br />
<br />
# su - postgres<br />
$ cd /etc/postgresql/11/<br />
<br />
Copy data from master and create recovery.conf<br />
<br />
$ pg_basebackup -h git.fosscommunity.in -D /var/lib/postgresql/11/main/ -P -U rep --wal-method=fetch -R<br />
<br />
Open the postgres configuration file<br />
<br />
$ nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
max_connections = 500 // This option and the one below are set to be same as in postgresql.conf at primary or the service won't start.<br />
max_worker_processes = 16<br />
host_standby = on // The above pg_basebackup command should set it. If it's not manually turn it to on.<br />
<br />
Start the stopped postgresql service<br />
<br />
# systemctl start postgresql@11-main<br />
<br />
===Postgresql (for synapse) Replication Status===<br />
<br />
On Primary,<br />
<br />
$ ps -ef | grep sender<br />
$ psql -c "select * from pg_stat_activity where usename='rep';"<br />
<br />
On Standby,<br />
<br />
$ ps -ef | grep receiver<br />
<br />
= Troubleshooting =<br />
== Allow XMPP login even if diaspora account is closed ==<br />
Diaspora has a [https://github.com/diaspora/diaspora/blob/develop/Changelog.md#new-maintenance-feature-to-automatically-expire-inactive-accounts default setting] to close accounts that have been inactive for 2 years. At the time of writing, there seems [https://github.com/diaspora/diaspora/issues/5358#issuecomment-371921462 no way] to reopen a closed account. This also means that if your account is closed, you will no longer be able to login to the associated XMPP service as well. Here we discuss a workaround to get access back to the XMPP account.<br />
<br />
The prosody module [https://gist.github.com/jhass/948e8e8d87b9143f97ad#file-mod_auth_diaspora-lua mod_auth_diaspora] is used for diaspora-based XMPP auth. It checks if <code>locked_at</code> value in the <code>users</code> table of diaspora db is <code>null</code> [https://gist.github.com/jhass/948e8e8d87b9143f97ad#file-mod_auth_diaspora-lua-L89 here] and [https://gist.github.com/jhass/948e8e8d87b9143f97ad#file-mod_auth_diaspora-lua-L98 here]. If your account is locked, it will have the <code>datetime</code> value that represents the date and time at which your account is locked. Setting it back to <code>null</code> will let you use your XMPP account again.<br />
<br />
-- Replace <username> with actual username of the locked account<br />
UPDATE users SET locked_at=NULL WHERE username='<username>';<br />
<br />
NOTE: Matrix account won't be affected even if the associated diaspora account is closed because it uses a [https://pypi.org/project/synapse-diaspora-auth/ custom auth module] which works differently.<br />
<br />
= History =<br />
* [[Poddery/Archive|See here]] for the archive of Poddery wiki page before the migration to Hetzner.<br />
<br />
[[Category:Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=Poddery_-_Diaspora,_Matrix_and_XMPP&diff=11040Poddery - Diaspora, Matrix and XMPP2023-11-28T10:12:48Z<p>Pravs: /* Coordination */ add xmpp room address</p>
<hr />
<div>We run decentralized and federated [https://diasporafoundation.org/ Diaspora] social netowrk, [https://xmpp.org/ XMPP] and [https://matrix.org Matrix] instant messaging services at [https://poddery.com poddery.com]. Along with Diaspora, Poddery username and password can be used to access XMPP and Matrix services as well. [https://chat.poddery.com chat.poddery.com] provides Riot client (accessed by a web browser), which can be used to connect to any Matrix server without installing a Riot app/client.<br />
<br />
= Environment =<br />
== Hosting ==<br />
Poddery is hosted at [https://www.hetzner.com Hetzner] with the following specs:<br />
<br />
* Intel Xeon E3-1246V3 Process - 4 Cores, 3.5GHz<br />
* 4TB HDD<br />
* 32GB DDR3 RAM<br />
<br />
== Operating System ==<br />
* Debian Buster<br />
<br />
== User Visible Services ==<br />
=== Diaspora ===<br />
* Currently installed version is 0.7.6.1 which is available in [https://packages.debian.org/buster/diaspora-installer Debian Buster contrib]<br />
* For live statistics see https://poddery.com/statistics<br />
<br />
=== Chat/XMPP ===<br />
* [https://prosody.im/ Prosody] is used as the XMPP server which is modern and lightweight.<br />
* Currently installed version is 0.11.2 which is available in [https://packages.debian.org/buster/prosody Debian Buster].<br />
* All XEPs are enabled which the [https://conversations.im/ Conversations app] support.<br />
<br />
=== Chat/Matrix ===<br />
* [https://matrix.org/docs/projects/server/synapse.html Synapse] is used as the Matrix server.<br />
* Synapse is currently installed directly from the [https://github.com/matrix-org/synapse official GitHub repo].<br />
* Riot-web Matrix client is hosted at https://chat.poddery.com<br />
<br />
=== Homepage ===<br />
Homepage and other static pages are maintained in FSCI [https://git.fosscommunity.in GitLab instance]. <br />
* poddery.com -> https://git.fosscommunity.in/community/poddery.com<br />
* save.poddery.com -> https://git.fosscommunity.in/community/save.poddery.com<br />
* fund.poddery.com -> https://git.fosscommunity.in/community/fund-poddery<br />
<br />
== Backend Services ==<br />
=== Web Server / Reverse Proxy ===<br />
* Nginx web server which also acts as front-end (reverse proxy) for Diaspora and Matrix.<br />
<br />
=== Database ===<br />
* PostgreSQL for Matrix<br />
* MySQL for Diaspora<br />
<br />
''TODO'': Consider migrating to PostgreSQL to optimize resources (We can reduce one service and RAM usage).<br />
<br />
=== Email ===<br />
* Exim<br />
<br />
=== SSL/TLS certificates ===<br />
* Let's Encrypt<br />
<br />
=== Firewall ===<br />
* UFW (Uncomplicated Firewall)<br />
<br />
=== Intrusion Prevention ===<br />
* Fail2ban<br />
<br />
= Coordination =<br />
* [https://codema.in/g/2bjVXqAu/fosscommunity-in-poddery-com-maintainer-s-group Loomio group] - Mainly used for decision making<br />
* Matrix room - [https://matrix.to/#/#poddery:poddery.com #poddery:poddery.com] also bridged to xmpp [[Xmpp:poddery.com-support@chat.yax.im?join|poddery.com-support@chat.yax.im]]<br />
* [https://git.fosscommunity.in/community/poddery.com/issues Issue tracker] - Used for tracking progress of tasks<br />
<br />
=== Contact ===<br />
* Email: poddery at autistici.org (alias that reaches Akhilan, Abhijith Balan, Fayad, Balasankar, Julius, Praveen, Prasobh, Sruthi, Shirish, Vamsee and Manukrishnan)<br />
* The following people have their GPG keys in the [[#Server_Access|access file]]:<br />
** ID: 0xCE1F9C674512C22A - Praveen Arimbrathodiyil (piratepin)<br />
** ID: 0xB77D2E2E23735427 - Balasankar C<br />
** ID: 0x5D0064186AF037D9 - Manu Krishnan T V<br />
** ID: 0x51C954405D432381 - Fayad Fami (fayad)<br />
** ID: 0x863D4DF2ED9C28EF - Abhijith PA<br />
** ID: 0x6EF48CCD865A1FFC - Syam G Krishnan (sgk)<br />
** ID: 0xFD49D0BC6FEAECDA - Sagar Ippalpalli<br />
** ID: 0x92FDAB42A95FF20C - Pirate Bady (piratesin)<br />
** ID: 0x0B1955F40C691CCE - Kannan<br />
** ID: 0x32FF6C6F5B7AE248 - Akhil Varkey<br />
** ID: 0xFBB7061C27CB70C1 - Ranjith Siji<br />
** ID: 0xEAAFE4A8F39DE34F - Kiran S Kunjumon (hacksk)<br />
* It's recommended to setup [http://www.vim.org/scripts/script.php?script_id=3645 Vim GnuPG Plugin] for transparent editing. Those who are new to GPG can follow [https://www.madboa.com/geek/gpg-quickstart/ this guide].<br />
<br />
=== Server Access ===<br />
Maintained in a private git repo at https://git.fosscommunity.in/community/access<br />
<br />
= Configuration and Maintenance =<br />
<br />
Boot into rescue system using https://docs.hetzner.com/robot/dedicated-server/troubleshooting/hetzner-rescue-system<br />
<br />
== Disk Partitioning ==<br />
* RAID 1 setup on 2x2TB HDDs (<code>sda</code> and <code>sdb</code>).<br />
mdadm --verbose --create /dev/mdX --level=mirror --raid-devices=2 /dev/sdaY /dev/sdbY<br />
* Separate partitions for swap (<code>md0</code> - 16GB), boot (<code>md1</code> - 512MB) and root (<code>md2</code> - 50GB).<br />
* LVM on Luks for separate encrypted data partitions for database, static files and logs.<br />
# Setup LUKS (make sure <code>lvm2</code>, <code>udev</code> and <code>cryptsetup</code> packages are installed).<br />
cryptsetup luksFormat /dev/mdX<br />
# Give disk encryption password as specified in the [[#Server_Access|access repo]]<br />
cryptsetup luksOpen /dev/mdX poddery<br />
<br />
# LVM Setup<br />
# Create physical volume named <code>poddery</code><br />
pvcreate /dev/mapper/poddery<br />
# Create volume group named <code>data</code><br />
vgcreate data /dev/mapper/poddery<br />
# Create logical volumes named <code>log</code>, <code>db</code> and <code>static</code><br />
lvcreate -n log /dev/data -L 50G<br />
lvcreate -n db /dev/data -L 500G<br />
# Assign remaining free space for static files<br />
lvcreate -n static /dev/data -l 100%FREE <br />
<br />
# Setup filesystem on the logical volumes<br />
mkfs.ext4 /dev/data/log<br />
mkfs.ext4 /dev/data/db<br />
mkfs.ext4 /dev/data/static<br />
<br />
# Create directories for mounting the encrypted partitions<br />
mkdir /var/lib/db /var/lib/static /var/log/poddery<br />
<br />
# Manually mount encrypted partitions. This is needed on each reboot as Hetzner doesn't provide a web console so that we can't decrypt the partitions during booting.<br />
mount /dev/data/db /var/lib/db<br />
mount /dev/data/static /var/lib/static<br />
mount /dev/data/log /var/log/poddery<br />
<br />
== Hardening checklist ==<br />
* SSH password based login disabled (allow only key based logins)<br />
* SSH login disabled for root user (use a normal user with sudo)<br />
# Check for the following settings in /etc/ssh/sshd_config:<br />
...<br />
PermitRootLogin no<br />
...<br />
PasswordAuthentication no<br />
...<br />
<br />
* <code>ufw</code> firewall enabled with only the ports that needs to be opened ([https://fxdata.cloud/tutorials/set-up-a-firewall-with-ufw-on-ubuntu-16-04 ufw tutorial]):<br />
ufw default deny incoming<br />
ufw default allow outgoing<br />
ufw allow ssh<br />
ufw allow http/tcp<br />
ufw allow https/tcp<br />
ufw allow Turnserver<br />
ufw allow XMPP<br />
ufw allow 8448<br />
<br />
ufw enable<br />
<br />
# Verify everything is setup properly<br />
ufw status<br />
<br />
# Enable ufw logging with default mode low<br />
ufw logging on<br />
<br />
* <code>fail2ban</code> configured against brute force attacks:<br />
# Check for the following line <code>/etc/ssh/sshd_config</code><br />
...<br />
LogLevel VERBOSE<br />
...<br />
<br />
# Restart SSH and enable fail2ban<br />
systemctl restart ssh<br />
systemctl enable fail2ban<br />
systemctl start fail2ban<br />
<br />
# To unban an IP, first check <code>/var/log/fail2ban.log</code> to get the banned IP and then run the following<br />
# Here <code>sshd</code> is the defaut jail name, change it if you are using a different jail<br />
fail2ban-client set sshd unbanip <banned_ip><br />
<br />
== Diaspora ==<br />
* Install <code>diaspora-installer</code> from Debian Buster contrib:<br />
apt install diaspora-installer<br />
<br />
* Move MySQL data to encrypted partition:<br />
# Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code><br />
systemctl stop mysql<br />
systemctl disable mysql<br />
mv /var/lib/mysql /var/lib/db/<br />
ln -s /var/lib/db/mysql /var/lib/<br />
systemctl start mysql<br />
<br />
* Move static files to encrypted partition:<br />
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code><br />
mkdir /var/lib/static/diaspora<br />
mv /usr/share/diaspora/public/uploads /var/lib/static/diaspora<br />
ln -s /var/lib/static/diaspora/uploads /usr/share/diaspora/public/<br />
chown -R diaspora: /var/lib/static/diaspora<br />
<br />
* Modify configuration files at <code>/etc/diaspora</code> and <code>/etc/diaspora.conf</code> as needed (backup of the current configuration files are available in the [[#Server_Access|access repo]]).<br />
* Homepage configuration:<br />
# Make sure <code>git</code> and <code>acl</code> packages are installed<br />
# Grant <code>rwx</code> permissions for the ssh user to <code>/usr/share/diaspora/public</code><br />
setfacl -m "u:<ssh_user>:rwx" /usr/share/diaspora/public<br />
<br />
# Clone poddery.com repo<br />
cd /usr/share/diaspora/public<br />
git clone https://git.fosscommunity.in/community/poddery.com.git<br />
cd poddery.com && mv * .[^.]* .. #Give yes for all files when prompted<br />
cd .. && rmdir poddery.com<br />
<br />
* [https://save.poddery.com Save Poddery] repo is maintained as a sub module in poddery.com repo. See this [https://chrisjean.com/git-submodules-adding-using-removing-and-updating/ tutorial] for working with git submodules. <br />
# Clone save.poddery.com repo<br />
cd /usr/share/diaspora/public/save<br />
git submodule init<br />
git submodule update<br />
<br />
== Matrix ==<br />
* See the [https://github.com/matrix-org/synapse/blob/master/INSTALL.md official installation guide] of Synapse for installing from source.<br />
* Nginx is used as reverse proxy to send requests that has <code>/_matrix/*</code> in URL to Synapse on port <code>8008</code>. This is configured in <code>/etc/nginx/sites-enabled/diaspora</code>.<br />
* Shamil's [https://git.fosscommunity.in/necessary129/synapse-diaspora-auth Synapse Diaspora Auth] script is used to authenticate Synapse with Diaspora database.<br />
* Move PostgreSQL data to encrypted partition:<br />
# Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code><br />
systemctl stop postgresql<br />
systemctl disable postgresql<br />
mv /var/lib/postgres /var/lib/db/<br />
ln -s /var/lib/db/postgres /var/lib/<br />
systemctl start postgresql<br />
<br />
* Move static files to encrypted partition:<br />
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code><br />
mkdir /var/lib/static/synapse<br />
mv /var/lib/matrix-synapse/uploads /var/lib/static/synapse/<br />
ln -s /var/lib/static/synapse/uploads /var/lib/matrix-synapse/<br />
mv /var/lib/matrix-synapse/media /var/lib/static/synapse/<br />
ln -s /var/lib/static/synapse/media /var/lib/matrix-synapse/<br />
chown -R matrix-synapse: /var/lib/static/synapse<br />
<br />
* Install identity server <code>mxisd</code> (<code>deb</code> package available [https://github.com/kamax-matrix/mxisd/blob/master/docs/install/debian.md here])<br />
<br />
=== Workers ===<br />
* For scalability, Poddery is running [https://github.com/matrix-org/synapse/blob/master/docs/workers.md workers]. Currently all workers specified in that page, expect <code>synapse.app.appservice</code> is running on poddery.com<br />
* A new service [https://gist.github.com/necessary129/5dfbb140e4727496b0ad2bf801c10fdc <code>matrix-synapse@.service</code>] is installed for the workers (Save the <code>synape_worker</code> file somewhere like <code>/usr/local/bin/</code> or something).<br />
* The worker config can be found at <code>/etc/matrix-synapse/workers</code><br />
* Synapse needs to be put under a reverse proxy see <code>/etc/nginx/sites-enabled/matrix</code>. A lot of <code>/_matrix/</code> urls needs to be overridden too see <code>/etc/nginx/sites-enabled/diaspora</code><br />
* These lines must be added to <code>homeserver.yaml</code> as we are running <code>media_repository</code>, <code>federation_sender</code>, <code>pusher</code>, <code>user_dir</code> workers respectively:<br />
enable_media_repo: False<br />
send_federation: False<br />
start_pushers: False<br />
update_user_directory: false<br />
<br />
* These services must be enabled:<br />
<br />
matrix-synapse@synchrotron.service matrix-synapse@federation_reader.service matrix-synapse@event_creator.service matrix-synapse@federation_sender.service matrix-synapse@pusher.service matrix-synapse@user_dir.service matrix-synapse@media_repository.service matrix-synapse@frontend_proxy.service matrix-synapse@client_reader.service matrix-synapse@synchrotron_2.service<br />
<br />
To load balance between the 2 synchrotrons, We are running [https://github.com/Sorunome/matrix-synchrotron-balancer matrix-synchrotron-balancer]. It has a systemd file at <code>/etc/systemd/system/matrix-synchrotron-balancer</code>. The files are in <code>/opt/matrix-synchrotron-balancer</code><br />
<br />
=== Synapse Updation ===<br />
* First check [https://matrix-org.github.io/synapse/latest/upgrade synapse//latest/upgrade] to see if anything extra needs to be done. Then, just run <code>/root/upgrade-synapse</code><br />
* Current version of synapse can be found from https://poddery.com/_matrix/federation/v1/version<br />
<br />
=== Riot-web Updation === <br />
* Just run the following (make sure to replace <code><version></code> with a proper version number like <code>v1.0.0</code>):<br />
/var/www/get-riot <version><br />
<br />
== Chat/XMPP ==<br />
* Steps for setting up Prosody is given at https://wiki.debian.org/Diaspora/XMPP<br />
# Follow steps 1 to 6 from https://wiki.debian.org/Diaspora/XMPP and then run the following:<br />
mysql -u root -p # Enter password from the access repo<br />
<br />
CREATE USER 'prosody'@'localhost' IDENTIFIED BY '<passwd_in_repo>';<br />
GRANT ALL PRIVILEGES ON diaspora_production.* TO 'prosody'@'localhost';<br />
FLUSH PRIVILEGES;<br />
<br />
systemctl restart prosody<br />
<br />
* Install plugins<br />
# Make sure <code>mercurial</code> is installed<br />
cd /etc && hg clone https://hg.prosody.im/prosody-modules/ prosody-modules<br />
<br />
=== Set Nginx Conf for BOSH URLS ===<br />
* Add the following in <code>nginx</code> configuration file to enable the BOSH URL to make JSXC Working:<br />
upstream chat_cluster {<br />
server localhost:5280;<br />
}<br />
<br />
location /http-bind {<br />
proxy_set_header X-Real-IP $remote_addr;<br />
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br />
proxy_set_header Host $http_host;<br />
proxy_set_header X-Forwarded-Proto https;<br />
proxy_redirect off;<br />
proxy_connect_timeout 5;<br />
proxy_buffering off;<br />
proxy_read_timeout 70;<br />
keepalive_timeout 70;<br />
send_timeout 70;<br />
client_max_body_size 4M;<br />
client_body_buffer_size 128K;<br />
proxy_pass http://chat_cluster;<br />
}<br />
<br />
* [https://wiki.diasporafoundation.org/Integration/Chat#Nginx See here] for more details on <code>nginx</code> configuration. Alternatively, <code>apache</code> settings can be found [https://github.com/jsxc/jsxc/wiki/Prepare-apache here].<br />
<br />
== TLS ==<br />
* Install <code>letsencrypt</code>.<br />
* Ensure proper permissions are set for <code>/etc/letsencrypt</code> and its contents.<br />
chown -R root:ssl-cert /etc/letsencrypt<br />
chmod g+r -R /etc/letsencrypt<br />
chmod g+x /etc/letsencrypt/{archive,live}<br />
* Generate certificates. For more details see https://certbot.eff.org.<br />
* Make sure the certificates used by <code>diaspora</code> are symbolic links to letsencrypt default location:<br />
ls -l /etc/diaspora/ssl<br />
''total 0<br />
''lrwxrwxrwx 1 root root 47 Apr 2 22:47 poddery.com-bundle.pem -> /etc/letsencrypt/live/poddery.com/fullchain.pem''<br />
''lrwxrwxrwx 1 root root 45 Apr 2 22:48 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''<br />
<br />
# If you don't get the above output, then run the following:<br />
cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/diaspora/ssl/poddery.com-bundle.pem<br />
cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/diaspora/ssl/poddery.com.key<br />
<br />
* Make sure the certificates used by <code>prosody</code> are symbolic links to letsencrypt default location:<br />
ls -l /etc/prosody/certs/<br />
''total 0''<br />
''lrwxrwxrwx 1 root root 40 Mar 28 01:16 poddery.com.crt -> /etc/letsencrypt/live/poddery.com/fullchain.pem''<br />
''lrwxrwxrwx 1 root root 33 Mar 28 01:16 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''<br />
<br />
# If you don't get the above output, then run the following:<br />
cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/prosody/certs/poddery.com.crt<br />
cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/prosody/certs/poddery.com.key<br />
<br />
* Note- letsencrypt executable used below is actually a symlik to /usr/bin/certbot<br />
* Cron jobs:<br />
crontab -e<br />
''30 2 * * 1 letsencrypt renew >> /var/log/le-renew.log''<br />
''32 2 * * 1 /etc/init.d/nginx reload''<br />
''34 2 * * 1 /etc/init.d/prosody reload''<br />
<br />
* Manually updating TLS certificate:<br />
letsencrypt certonly --webroot --agree-tos -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save -d save.poddery.com -w /var/www/riot -d chat.poddery.com<br />
* To include an additional subdomain such as fund.poddery.com use with --expand parameter as shown below<br />
letsencrypt certonly --webroot --agree-tos --expand -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save/ -d save.poddery.com -w /var/www/riot/ -d chat.poddery.com<br />
<br />
==Backup==<br />
<br />
Backup server is provided by Manu (KVM virtual machine with 180 GB storage and 1 GB ram ). <br />
<br />
Debian Stetch was upgraded Debian Buster before database relication of synapse database. <br />
<br />
Documentation: https://www.percona.com/blog/2018/09/07/setting-up-streaming-replication-postgresql/<br />
<br />
Currently postgres database for matrix-synapse is backed up.<br />
<br />
===Before Replication (specific to poddery.com)===<br />
<br />
Setup tinc vpn in the backup server<br />
<br />
# apt install tinc<br />
<br />
Configure tinc by creating tinc.conf and host podderybackup under label fsci.<br />
Add tinc-up and tinc-down scripts<br />
Copy poddery host config to backup server and podderybackup host config to poddery.com server.<br />
<br />
Reload tinc vpn service at both poddery.com and backup servers<br />
<br />
# systemctl reload tinc@fsci.service<br />
<br />
Enable tinc@fsci systemd service for autostart<br />
<br />
# systemctl enable tinc@fsci.service<br />
<br />
The synapse database was also pruned to reduce the size before replication by following this guide - https://levans.fr/shrink-synapse-database.html<br />
If you want to follow this guide, make sure matrix synapse server is updated to version 1.13 atleast since it introduces the Rooms API mentioned the guide.<br />
Changes done to steps in the guide.<br />
<br />
# jq '.rooms[] | select(.joined_local_members == 0) | .room_id' < roomlist.json | sed -e 's/"//g' > to_purge.txt<br />
<br />
The room list obtained this way can, be looped to pass the room names as variables to the purge api. <br />
<br />
# set +H // if you are using bash to avoid '!' in the roomname triggering the history substitution.<br />
# for room_id in $(cat to_purge.txt); do curl --header "Authorization: Bearer <your access token>" \<br />
-X POST -H "Content-Type: application/json" -d "{ \"room_id\": \"$room_id\" }" \<br />
'https://127.0.0.1:8008/_synapse/admin/v1/purge_room'; done;<br />
<br />
We also did not remove old history of large rooms.<br />
<br />
===Step 1: Postgresql (for synapse) Primary configuration===<br />
<br />
Create postgresql user for replication.<br />
<br />
$ psql -c "CREATE USER replication REPLICATION LOGIN CONNECTION LIMIT 1 ENCRYPTED PASSWORD 'yourpassword';"<br />
The password is in the access repo if you need it later.<br />
<br />
Allow standby to connect to primary using the user just created.<br />
<br />
$ cd /etc/postgresql/11/main<br />
<br />
$ nano pg_hba.conf<br />
<br />
Add below line to allow replication user to get access to the server<br />
<br />
host replication replication 172.16.0.3/32 md5<br />
<br />
Next , open the postgres configuration file<br />
<br />
nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,172.16.0.2'<br />
port=5432<br />
wal_level = replica<br />
max_wal_senders = 1<br />
wal_keep_segments = 64<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
<br />
You need to restart since postgresql.conf was edited and parameters changed,<br />
<br />
# systemctl restart postgresql<br />
<br />
===Step 2: Postgresql (for synapse) Standby configuration ===<br />
<br />
Install postgresql <br />
<br />
# apt install postgresql<br />
<br />
Check postgresql server is running<br />
<br />
# su postgres -c psql<br />
<br />
Make sure en_US.UTF-8 locale is available<br />
<br />
# dpkg-reconfigure locales<br />
<br />
Stop postgresql before changing any configuration<br />
<br />
#systemctl stop postgresql@11-main<br />
<br />
Switch to postgres user<br />
<br />
# su - postgres<br />
$ cd /etc/postgresql/11/<br />
<br />
Copy data from master and create recovery.conf<br />
<br />
$ pg_basebackup -h git.fosscommunity.in -D /var/lib/postgresql/11/main/ -P -U rep --wal-method=fetch -R<br />
<br />
Open the postgres configuration file<br />
<br />
$ nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
max_connections = 500 // This option and the one below are set to be same as in postgresql.conf at primary or the service won't start.<br />
max_worker_processes = 16<br />
host_standby = on // The above pg_basebackup command should set it. If it's not manually turn it to on.<br />
<br />
Start the stopped postgresql service<br />
<br />
# systemctl start postgresql@11-main<br />
<br />
===Postgresql (for synapse) Replication Status===<br />
<br />
On Primary,<br />
<br />
$ ps -ef | grep sender<br />
$ psql -c "select * from pg_stat_activity where usename='rep';"<br />
<br />
On Standby,<br />
<br />
$ ps -ef | grep receiver<br />
<br />
= Troubleshooting =<br />
== Allow XMPP login even if diaspora account is closed ==<br />
Diaspora has a [https://github.com/diaspora/diaspora/blob/develop/Changelog.md#new-maintenance-feature-to-automatically-expire-inactive-accounts default setting] to close accounts that have been inactive for 2 years. At the time of writing, there seems [https://github.com/diaspora/diaspora/issues/5358#issuecomment-371921462 no way] to reopen a closed account. This also means that if your account is closed, you will no longer be able to login to the associated XMPP service as well. Here we discuss a workaround to get access back to the XMPP account.<br />
<br />
The prosody module [https://gist.github.com/jhass/948e8e8d87b9143f97ad#file-mod_auth_diaspora-lua mod_auth_diaspora] is used for diaspora-based XMPP auth. It checks if <code>locked_at</code> value in the <code>users</code> table of diaspora db is <code>null</code> [https://gist.github.com/jhass/948e8e8d87b9143f97ad#file-mod_auth_diaspora-lua-L89 here] and [https://gist.github.com/jhass/948e8e8d87b9143f97ad#file-mod_auth_diaspora-lua-L98 here]. If your account is locked, it will have the <code>datetime</code> value that represents the date and time at which your account is locked. Setting it back to <code>null</code> will let you use your XMPP account again.<br />
<br />
-- Replace <username> with actual username of the locked account<br />
UPDATE users SET locked_at=NULL WHERE username='<username>';<br />
<br />
NOTE: Matrix account won't be affected even if the associated diaspora account is closed because it uses a [https://pypi.org/project/synapse-diaspora-auth/ custom auth module] which works differently.<br />
<br />
= History =<br />
* [[Poddery/Archive|See here]] for the archive of Poddery wiki page before the migration to Hetzner.<br />
<br />
[[Category:Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=Learn_Debian_Packaging&diff=11028Learn Debian Packaging2022-02-05T07:16:35Z<p>Pravs: /* Level 0: Basics of release process and setup a development environment */Mention node-pretty-ms only for build from source</p>
<hr />
<div>We are guiding some learners of [https://camp.fsf.org.in Free Software Camp] to learn Debian Packaging and this page will be used to track the progress of the tasks.<br />
<br />
== Level 0: Basics of release process and setup a development environment ==<br />
* [http://www.queryadmin.com/2203/how-to-install-a-deb-file-on-debian-linux-via-command-line/ How to Install a .Deb File via Command-Line]<br />
* [https://debian-handbook.info/browse/stable/sect.release-lifecycle.html Lifecycle of a Release]<br />
* [https://raphaelhertzog.com/2010/10/18/understanding-debians-release-process/ Understanding Debian’s release process]<br />
* [https://backports.debian.org/Instructions/ How to install packages from stable-backports]<br />
* [https://wiki.debian.org/Packaging/Pre-Requisites Different options for setting up a Debian Sid environment]<br />
* [https://wiki.debian.org/BuildingTutorial Building existing packages from source] (node-pretty-ms instructions is recent so fdupes example in the tutorial can be skipped)<br />
<br />
By this time you should be familiar with <br />
# apt source/dget, <br />
# dpkg-source -x, <br />
# dpkg-buildpackage/debuild, <br />
# apt build-dep, <br />
# apt-source -b <br />
commands to rebuild an existing debian package from source.<br />
<br />
== Level 1: Learn basics of Packaging ==<br />
<br />
Understand the basic concepts using debmake/dh_make (getting source tarballs, creating source package, building the binary package, making it lintian clean)<br />
<br />
* [https://wiki.abrahamraji.in/simple-packaging-tutorial/ Abraham Raji's simple packaging tutorial]<br />
* [https://wiki.debian.org/SimplePackagingTutorial Simple Packaging Tutorial on Debian Wiki]<br />
<br />
Once you understand the basic concepts, use npm2deb to automate some of those tasks like getting source tarball, a better debian directory template than the ones created by dh_make/debmake as npm2deb knows more details specific to node modules. You will still have to fix the remaining issues flagged by lintian.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/Tutorial npm2deb Tutorial on Debian Wiki]<br />
<br />
By this time you should know,<br />
# creating lintian clean packages for simple modules and <br />
# building it in a clean environment like sbuild. <br />
# You should also know to import a dsc file to a git repo (gbp import-dsc --pristine-tar) and <br />
# push your work to a public git hosting service like salsa.debian.org (git push -u --all --follow-tags)<br />
<br />
== Level 2: Update existing packages to new upstream minor or patch versions ==<br />
Once you get a clear picture of packaging a simple module, we can move to the next stage of updating existing packages<br />
<br />
* [https://wiki.debian.org/UpdatingaPackagetoNewUpstreamVersion Update packages to new upstream version on Debian Wiki]<br />
* [https://wiki.debian.org/UsingQuilt Using Quilt on Debian Wiki]<br />
<br />
# How to send RFS mails<br />
# Using Quilt to modify upstream source if required<br />
<br />
== Level 3: Packaging more complicated modules ==<br />
<br />
Next step is packaging more complicated modules that will involve things like, modifying some upstream files, removing some files from source tarball, generating some files from source, getting the source tarball from a git commit etc.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/AdvancedTutorial Advanced tutorial for more complicated modules]<br />
<br />
By this time you should know,<br />
# Creating patches with quilt<br />
# Repacking orig.tar and exclude specific files<br />
# Use pkg-js-tools options to build from source files<br />
# Build packages with typescript sources<br />
<br />
== Level 4: Pick an unpackaged but useful module and upload to archive ==<br />
<br />
* [https://git.fosscommunity.in/debian-ruby/TaskTracker/-/issues/175 List of node dependencies for gitlab]<br />
<br />
By this time you should know,<br />
# How to file ITP</div>Pravshttps://wiki.fsci.in/index.php?title=Poddery_-_Diaspora,_Matrix_and_XMPP&diff=11016Poddery - Diaspora, Matrix and XMPP2021-10-23T11:38:06Z<p>Pravs: /* Coordination */Update link to loomio group.</p>
<hr />
<div>We run decentralized and federated [https://diasporafoundation.org/ Diaspora] social netowrk, [https://xmpp.org/ XMPP] and [https://matrix.org Matrix] instant messaging services at [https://poddery.com poddery.com]. Along with Diaspora, Poddery username and password can be used to access XMPP and Matrix services as well. [https://chat.poddery.com chat.poddery.com] provides Riot client (accessed by a web browser), which can be used to connect to any Matrix server without installing a Riot app/client.<br />
<br />
= Environment =<br />
== Hosting ==<br />
Poddery is hosted at [https://www.hetzner.com Hetzner] with the following specs:<br />
<br />
* Intel Xeon E3-1246V3 Process - 4 Cores, 3.5GHz<br />
* 4TB HDD<br />
* 32GB DDR3 RAM<br />
<br />
== Operating System ==<br />
* Debian Buster<br />
<br />
== User Visible Services ==<br />
=== Diaspora ===<br />
* Currently installed version is 0.7.6.1 which is available in [https://packages.debian.org/buster/diaspora-installer Debian Buster contrib]<br />
* For live statistics see https://poddery.com/statistics<br />
<br />
=== Chat/XMPP ===<br />
* [https://prosody.im/ Prosody] is used as the XMPP server which is modern and lightweight.<br />
* Currently installed version is 0.11.2 which is available in [https://packages.debian.org/buster/prosody Debian Buster].<br />
* All XEPs are enabled which the [https://conversations.im/ Conversations app] support.<br />
<br />
=== Chat/Matrix ===<br />
* [https://matrix.org/docs/projects/server/synapse.html Synapse] is used as the Matrix server.<br />
* Synapse is currently installed directly from the [https://github.com/matrix-org/synapse official GitHub repo].<br />
* Riot-web Matrix client is hosted at https://chat.poddery.com<br />
<br />
=== Homepage ===<br />
Homepage and other static pages are maintained in FSCI [https://git.fosscommunity.in GitLab instance]. <br />
* poddery.com -> https://git.fosscommunity.in/community/poddery.com<br />
* save.poddery.com -> https://git.fosscommunity.in/community/save.poddery.com<br />
* fund.poddery.com -> https://git.fosscommunity.in/community/fund-poddery<br />
<br />
== Backend Services ==<br />
=== Web Server / Reverse Proxy ===<br />
* Nginx web server which also acts as front-end (reverse proxy) for Diaspora and Matrix.<br />
<br />
=== Database ===<br />
* PostgreSQL for Matrix<br />
* MySQL for Diaspora<br />
<br />
''TODO'': Consider migrating to PostgreSQL to optimize resources (We can reduce one service and RAM usage).<br />
<br />
=== Email ===<br />
* Exim<br />
<br />
=== SSL/TLS certificates ===<br />
* Let's Encrypt<br />
<br />
=== Firewall ===<br />
* UFW (Uncomplicated Firewall)<br />
<br />
=== Intrusion Prevention ===<br />
* Fail2ban<br />
<br />
= Coordination =<br />
* [https://codema.in/g/2bjVXqAu/fosscommunity-in-poddery-com-maintainer-s-group Loomio group] - Mainly used for decision making<br />
* Matrix room - [https://matrix.to/#/#poddery:poddery.com #poddery:poddery.com]<br />
* [https://git.fosscommunity.in/community/poddery.com/issues Issue tracker] - Used for tracking progress of tasks<br />
<br />
=== Contact ===<br />
* Email: poddery at autistici.org (alias that reaches Akhilan, Abhijith Balan, Fayad, Balasankar, Julius, Praveen, Prasobh, Sruthi, Shirish, Vamsee and Manukrishnan)<br />
* The following people have their GPG keys in the [[#Server_Access|access file]]:<br />
** ID: 0xCE1F9C674512C22A - Praveen Arimbrathodiyil (piratepin)<br />
** ID: 0xB77D2E2E23735427 - Balasankar C<br />
** ID: 0x5D0064186AF037D9 - Manu Krishnan T V<br />
** ID: 0x51C954405D432381 - Fayad Fami (fayad)<br />
** ID: 0x863D4DF2ED9C28EF - Abhijith PA<br />
** ID: 0x6EF48CCD865A1FFC - Syam G Krishnan (sgk)<br />
** ID: 0xFD49D0BC6FEAECDA - Sagar Ippalpalli<br />
** ID: 0x92FDAB42A95FF20C - Pirate Bady (piratesin)<br />
** ID: 0x0B1955F40C691CCE - Kannan<br />
** ID: 0x32FF6C6F5B7AE248 - Akhil Varkey<br />
** ID: 0xFBB7061C27CB70C1 - Ranjith Siji<br />
** ID: 0xEAAFE4A8F39DE34F - Kiran S Kunjumon (hacksk)<br />
* It's recommended to setup [http://www.vim.org/scripts/script.php?script_id=3645 Vim GnuPG Plugin] for transparent editing. Those who are new to GPG can follow [https://www.madboa.com/geek/gpg-quickstart/ this guide].<br />
<br />
=== Server Access ===<br />
Maintained in a private git repo at https://git.fosscommunity.in/community/access<br />
<br />
= Configuration and Maintenance =<br />
<br />
Boot into rescue system using https://docs.hetzner.com/robot/dedicated-server/troubleshooting/hetzner-rescue-system<br />
<br />
== Disk Partitioning ==<br />
* RAID 1 setup on 2x2TB HDDs (<code>sda</code> and <code>sdb</code>).<br />
mdadm --verbose --create /dev/mdX --level=mirror --raid-devices=2 /dev/sdaY /dev/sdbY<br />
* Separate partitions for swap (<code>md0</code> - 16GB), boot (<code>md1</code> - 512MB) and root (<code>md2</code> - 50GB).<br />
* LVM on Luks for separate encrypted data partitions for database, static files and logs.<br />
# Setup LUKS (make sure <code>lvm2</code>, <code>udev</code> and <code>cryptsetup</code> packages are installed).<br />
cryptsetup luksFormat /dev/mdX<br />
# Give disk encryption password as specified in the [[#Server_Access|access repo]]<br />
cryptsetup luksOpen /dev/mdX poddery<br />
<br />
# LVM Setup<br />
# Create physical volume named <code>poddery</code><br />
pvcreate /dev/mapper/poddery<br />
# Create volume group named <code>data</code><br />
vgcreate data /dev/mapper/poddery<br />
# Create logical volumes named <code>log</code>, <code>db</code> and <code>static</code><br />
lvcreate -n log /dev/data -L 50G<br />
lvcreate -n db /dev/data -L 500G<br />
# Assign remaining free space for static files<br />
lvcreate -n static /dev/data -l 100%FREE <br />
<br />
# Setup filesystem on the logical volumes<br />
mkfs.ext4 /dev/data/log<br />
mkfs.ext4 /dev/data/db<br />
mkfs.ext4 /dev/data/static<br />
<br />
# Create directories for mounting the encrypted partitions<br />
mkdir /var/lib/db /var/lib/static /var/log/poddery<br />
<br />
# Manually mount encrypted partitions. This is needed on each reboot as Hetzner doesn't provide a web console so that we can't decrypt the partitions during booting.<br />
mount /dev/data/db /var/lib/db<br />
mount /dev/data/static /var/lib/static<br />
mount /dev/data/log /var/log/poddery<br />
<br />
== Hardening checklist ==<br />
* SSH password based login disabled (allow only key based logins)<br />
* SSH login disabled for root user (use a normal user with sudo)<br />
# Check for the following settings in /etc/ssh/sshd_config:<br />
...<br />
PermitRootLogin no<br />
...<br />
PasswordAuthentication no<br />
...<br />
<br />
* <code>ufw</code> firewall enabled with only the ports that needs to be opened ([https://fxdata.cloud/tutorials/set-up-a-firewall-with-ufw-on-ubuntu-16-04 ufw tutorial]):<br />
ufw default deny incoming<br />
ufw default allow outgoing<br />
ufw allow ssh<br />
ufw allow http/tcp<br />
ufw allow https/tcp<br />
ufw allow Turnserver<br />
ufw allow XMPP<br />
ufw allow 8448<br />
<br />
ufw enable<br />
<br />
# Verify everything is setup properly<br />
ufw status<br />
<br />
# Enable ufw logging with default mode low<br />
ufw logging on<br />
<br />
* <code>fail2ban</code> configured against brute force attacks:<br />
# Check for the following line <code>/etc/ssh/sshd_config</code><br />
...<br />
LogLevel VERBOSE<br />
...<br />
<br />
# Restart SSH and enable fail2ban<br />
systemctl restart ssh<br />
systemctl enable fail2ban<br />
systemctl start fail2ban<br />
<br />
# To unban an IP, first check <code>/var/log/fail2ban.log</code> to get the banned IP and then run the following<br />
# Here <code>sshd</code> is the defaut jail name, change it if you are using a different jail<br />
fail2ban-client set sshd unbanip <banned_ip><br />
<br />
== Diaspora ==<br />
* Install <code>diaspora-installer</code> from Debian Buster contrib:<br />
apt install diaspora-installer<br />
<br />
* Move MySQL data to encrypted partition:<br />
# Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code><br />
systemctl stop mysql<br />
systemctl disable mysql<br />
mv /var/lib/mysql /var/lib/db/<br />
ln -s /var/lib/db/mysql /var/lib/<br />
systemctl start mysql<br />
<br />
* Move static files to encrypted partition:<br />
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code><br />
mkdir /var/lib/static/diaspora<br />
mv /usr/share/diaspora/public/uploads /var/lib/static/diaspora<br />
ln -s /var/lib/static/diaspora/uploads /usr/share/diaspora/public/<br />
chown -R diaspora: /var/lib/static/diaspora<br />
<br />
* Modify configuration files at <code>/etc/diaspora</code> and <code>/etc/diaspora.conf</code> as needed (backup of the current configuration files are available in the [[#Server_Access|access repo]]).<br />
* Homepage configuration:<br />
# Make sure <code>git</code> and <code>acl</code> packages are installed<br />
# Grant <code>rwx</code> permissions for the ssh user to <code>/usr/share/diaspora/public</code><br />
setfacl -m "u:<ssh_user>:rwx" /usr/share/diaspora/public<br />
<br />
# Clone poddery.com repo<br />
cd /usr/share/diaspora/public<br />
git clone https://git.fosscommunity.in/community/poddery.com.git<br />
cd poddery.com && mv * .[^.]* .. #Give yes for all files when prompted<br />
cd .. && rmdir poddery.com<br />
<br />
* [https://save.poddery.com Save Poddery] repo is maintained as a sub module in poddery.com repo. See this [https://chrisjean.com/git-submodules-adding-using-removing-and-updating/ tutorial] for working with git submodules. <br />
# Clone save.poddery.com repo<br />
cd /usr/share/diaspora/public/save<br />
git submodule init<br />
git submodule update<br />
<br />
== Matrix ==<br />
* See the [https://github.com/matrix-org/synapse/blob/master/INSTALL.md official installation guide] of Synapse for installing from source.<br />
* Nginx is used as reverse proxy to send requests that has <code>/_matrix/*</code> in URL to Synapse on port <code>8008</code>. This is configured in <code>/etc/nginx/sites-enabled/diaspora</code>.<br />
* Shamil's [https://git.fosscommunity.in/necessary129/synapse-diaspora-auth Synapse Diaspora Auth] script is used to authenticate Synapse with Diaspora database.<br />
* Move PostgreSQL data to encrypted partition:<br />
# Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code><br />
systemctl stop postgresql<br />
systemctl disable postgresql<br />
mv /var/lib/postgres /var/lib/db/<br />
ln -s /var/lib/db/postgres /var/lib/<br />
systemctl start postgresql<br />
<br />
* Move static files to encrypted partition:<br />
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code><br />
mkdir /var/lib/static/synapse<br />
mv /var/lib/matrix-synapse/uploads /var/lib/static/synapse/<br />
ln -s /var/lib/static/synapse/uploads /var/lib/matrix-synapse/<br />
mv /var/lib/matrix-synapse/media /var/lib/static/synapse/<br />
ln -s /var/lib/static/synapse/media /var/lib/matrix-synapse/<br />
chown -R matrix-synapse: /var/lib/static/synapse<br />
<br />
* Install identity server <code>mxisd</code> (<code>deb</code> package available [https://github.com/kamax-matrix/mxisd/blob/master/docs/install/debian.md here])<br />
<br />
=== Workers ===<br />
* For scalability, Poddery is running [https://github.com/matrix-org/synapse/blob/master/docs/workers.md workers]. Currently all workers specified in that page, expect <code>synapse.app.appservice</code> is running on poddery.com<br />
* A new service [https://gist.github.com/necessary129/5dfbb140e4727496b0ad2bf801c10fdc <code>matrix-synapse@.service</code>] is installed for the workers (Save the <code>synape_worker</code> file somewhere like <code>/usr/local/bin/</code> or something).<br />
* The worker config can be found at <code>/etc/matrix-synapse/workers</code><br />
* Synapse needs to be put under a reverse proxy see <code>/etc/nginx/sites-enabled/matrix</code>. A lot of <code>/_matrix/</code> urls needs to be overridden too see <code>/etc/nginx/sites-enabled/diaspora</code><br />
* These lines must be added to <code>homeserver.yaml</code> as we are running <code>media_repository</code>, <code>federation_sender</code>, <code>pusher</code>, <code>user_dir</code> workers respectively:<br />
enable_media_repo: False<br />
send_federation: False<br />
start_pushers: False<br />
update_user_directory: false<br />
<br />
* These services must be enabled:<br />
<br />
matrix-synapse@synchrotron.service matrix-synapse@federation_reader.service matrix-synapse@event_creator.service matrix-synapse@federation_sender.service matrix-synapse@pusher.service matrix-synapse@user_dir.service matrix-synapse@media_repository.service matrix-synapse@frontend_proxy.service matrix-synapse@client_reader.service matrix-synapse@synchrotron_2.service<br />
<br />
To load balance between the 2 synchrotrons, We are running [https://github.com/Sorunome/matrix-synchrotron-balancer matrix-synchrotron-balancer]. It has a systemd file at <code>/etc/systemd/system/matrix-synchrotron-balancer</code>. The files are in <code>/opt/matrix-synchrotron-balancer</code><br />
<br />
=== Synapse Updation ===<br />
* First check [https://matrix-org.github.io/synapse/latest/upgrade synapse//latest/upgrade] to see if anything extra needs to be done. Then, just run <code>/root/upgrade-synapse</code><br />
* Current version of synapse can be found from https://poddery.com/_matrix/federation/v1/version<br />
<br />
=== Riot-web Updation === <br />
* Just run the following (make sure to replace <code><version></code> with a proper version number like <code>v1.0.0</code>):<br />
/var/www/get-riot <version><br />
<br />
== Chat/XMPP ==<br />
* Steps for setting up Prosody is given at https://wiki.debian.org/Diaspora/XMPP<br />
# Follow steps 1 to 6 from https://wiki.debian.org/Diaspora/XMPP and then run the following:<br />
mysql -u root -p # Enter password from the access repo<br />
<br />
CREATE USER 'prosody'@'localhost' IDENTIFIED BY '<passwd_in_repo>';<br />
GRANT ALL PRIVILEGES ON diaspora_production.* TO 'prosody'@'localhost';<br />
FLUSH PRIVILEGES;<br />
<br />
systemctl restart prosody<br />
<br />
* Install plugins<br />
# Make sure <code>mercurial</code> is installed<br />
cd /etc && hg clone https://hg.prosody.im/prosody-modules/ prosody-modules<br />
<br />
=== Set Nginx Conf for BOSH URLS ===<br />
* Add the following in <code>nginx</code> configuration file to enable the BOSH URL to make JSXC Working:<br />
upstream chat_cluster {<br />
server localhost:5280;<br />
}<br />
<br />
location /http-bind {<br />
proxy_set_header X-Real-IP $remote_addr;<br />
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br />
proxy_set_header Host $http_host;<br />
proxy_set_header X-Forwarded-Proto https;<br />
proxy_redirect off;<br />
proxy_connect_timeout 5;<br />
proxy_buffering off;<br />
proxy_read_timeout 70;<br />
keepalive_timeout 70;<br />
send_timeout 70;<br />
client_max_body_size 4M;<br />
client_body_buffer_size 128K;<br />
proxy_pass http://chat_cluster;<br />
}<br />
<br />
* [https://wiki.diasporafoundation.org/Integration/Chat#Nginx See here] for more details on <code>nginx</code> configuration. Alternatively, <code>apache</code> settings can be found [https://github.com/jsxc/jsxc/wiki/Prepare-apache here].<br />
<br />
== TLS ==<br />
* Install <code>letsencrypt</code>.<br />
* Ensure proper permissions are set for <code>/etc/letsencrypt</code> and its contents.<br />
chown -R root:ssl-cert /etc/letsencrypt<br />
chmod g+r -R /etc/letsencrypt<br />
chmod g+x /etc/letsencrypt/{archive,live}<br />
* Generate certificates. For more details see https://certbot.eff.org.<br />
* Make sure the certificates used by <code>diaspora</code> are symbolic links to letsencrypt default location:<br />
ls -l /etc/diaspora/ssl<br />
''total 0<br />
''lrwxrwxrwx 1 root root 47 Apr 2 22:47 poddery.com-bundle.pem -> /etc/letsencrypt/live/poddery.com/fullchain.pem''<br />
''lrwxrwxrwx 1 root root 45 Apr 2 22:48 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''<br />
<br />
# If you don't get the above output, then run the following:<br />
cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/diaspora/ssl/poddery.com-bundle.pem<br />
cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/diaspora/ssl/poddery.com.key<br />
<br />
* Make sure the certificates used by <code>prosody</code> are symbolic links to letsencrypt default location:<br />
ls -l /etc/prosody/certs/<br />
''total 0''<br />
''lrwxrwxrwx 1 root root 40 Mar 28 01:16 poddery.com.crt -> /etc/letsencrypt/live/poddery.com/fullchain.pem''<br />
''lrwxrwxrwx 1 root root 33 Mar 28 01:16 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''<br />
<br />
# If you don't get the above output, then run the following:<br />
cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/prosody/certs/poddery.com.crt<br />
cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/prosody/certs/poddery.com.key<br />
<br />
* Note- letsencrypt executable used below is actually a symlik to /usr/bin/certbot<br />
* Cron jobs:<br />
crontab -e<br />
''30 2 * * 1 letsencrypt renew >> /var/log/le-renew.log''<br />
''32 2 * * 1 /etc/init.d/nginx reload''<br />
''34 2 * * 1 /etc/init.d/prosody reload''<br />
<br />
* Manually updating TLS certificate:<br />
letsencrypt certonly --webroot --agree-tos -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save -d save.poddery.com -w /var/www/riot -d chat.poddery.com<br />
* To include an additional subdomain such as fund.poddery.com use with --expand parameter as shown below<br />
letsencrypt certonly --webroot --agree-tos --expand -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save/ -d save.poddery.com -w /var/www/riot/ -d chat.poddery.com<br />
<br />
==Backup==<br />
<br />
Backup server is provided by Manu (KVM virtual machine with 180 GB storage and 1 GB ram ). <br />
<br />
Debian Stetch was upgraded Debian Buster before database relication of synapse database. <br />
<br />
Documentation: https://www.percona.com/blog/2018/09/07/setting-up-streaming-replication-postgresql/<br />
<br />
Currently postgres database for matrix-synapse is backed up.<br />
<br />
===Before Replication (specific to poddery.com)===<br />
<br />
Setup tinc vpn in the backup server<br />
<br />
# apt install tinc<br />
<br />
Configure tinc by creating tinc.conf and host podderybackup under label fsci.<br />
Add tinc-up and tinc-down scripts<br />
Copy poddery host config to backup server and podderybackup host config to poddery.com server.<br />
<br />
Reload tinc vpn service at both poddery.com and backup servers<br />
<br />
# systemctl reload tinc@fsci.service<br />
<br />
Enable tinc@fsci systemd service for autostart<br />
<br />
# systemctl enable tinc@fsci.service<br />
<br />
The synapse database was also pruned to reduce the size before replication by following this guide - https://levans.fr/shrink-synapse-database.html<br />
If you want to follow this guide, make sure matrix synapse server is updated to version 1.13 atleast since it introduces the Rooms API mentioned the guide.<br />
Changes done to steps in the guide.<br />
<br />
# jq '.rooms[] | select(.joined_local_members == 0) | .room_id' < roomlist.json | sed -e 's/"//g' > to_purge.txt<br />
<br />
The room list obtained this way can, be looped to pass the room names as variables to the purge api. <br />
<br />
# set +H // if you are using bash to avoid '!' in the roomname triggering the history substitution.<br />
# for room_id in $(cat to_purge.txt); do curl --header "Authorization: Bearer <your access token>" \<br />
-X POST -H "Content-Type: application/json" -d "{ \"room_id\": \"$room_id\" }" \<br />
'https://127.0.0.1:8008/_synapse/admin/v1/purge_room'; done;<br />
<br />
We also did not remove old history of large rooms.<br />
<br />
===Step 1: Postgresql (for synapse) Primary configuration===<br />
<br />
Create postgresql user for replication.<br />
<br />
$ psql -c "CREATE USER replication REPLICATION LOGIN CONNECTION LIMIT 1 ENCRYPTED PASSWORD 'yourpassword';"<br />
The password is in the access repo if you need it later.<br />
<br />
Allow standby to connect to primary using the user just created.<br />
<br />
$ cd /etc/postgresql/11/main<br />
<br />
$ nano pg_hba.conf<br />
<br />
Add below line to allow replication user to get access to the server<br />
<br />
host replication replication 172.16.0.3/32 md5<br />
<br />
Next , open the postgres configuration file<br />
<br />
nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,172.16.0.2'<br />
port=5432<br />
wal_level = replica<br />
max_wal_senders = 1<br />
wal_keep_segments = 64<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
<br />
You need to restart since postgresql.conf was edited and parameters changed,<br />
<br />
# systemctl restart postgresql<br />
<br />
===Step 2: Postgresql (for synapse) Standby configuration ===<br />
<br />
Install postgresql <br />
<br />
# apt install postgresql<br />
<br />
Check postgresql server is running<br />
<br />
# su postgres -c psql<br />
<br />
Make sure en_US.UTF-8 locale is available<br />
<br />
# dpkg-reconfigure locales<br />
<br />
Stop postgresql before changing any configuration<br />
<br />
#systemctl stop postgresql@11-main<br />
<br />
Switch to postgres user<br />
<br />
# su - postgres<br />
$ cd /etc/postgresql/11/<br />
<br />
Copy data from master and create recovery.conf<br />
<br />
$ pg_basebackup -h git.fosscommunity.in -D /var/lib/postgresql/11/main/ -P -U rep --wal-method=fetch -R<br />
<br />
Open the postgres configuration file<br />
<br />
$ nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
max_connections = 500 // This option and the one below are set to be same as in postgresql.conf at primary or the service won't start.<br />
max_worker_processes = 16<br />
host_standby = on // The above pg_basebackup command should set it. If it's not manually turn it to on.<br />
<br />
Start the stopped postgresql service<br />
<br />
# systemctl start postgresql@11-main<br />
<br />
===Postgresql (for synapse) Replication Status===<br />
<br />
On Primary,<br />
<br />
$ ps -ef | grep sender<br />
$ psql -c "select * from pg_stat_activity where usename='rep';"<br />
<br />
On Standby,<br />
<br />
$ ps -ef | grep receiver<br />
<br />
= History =<br />
* [[Poddery/Archive|See here]] for the archive of Poddery wiki page before the migration to Hetzner.<br />
<br />
[[Category:Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=Poddery_-_Diaspora,_Matrix_and_XMPP&diff=11013Poddery - Diaspora, Matrix and XMPP2021-09-19T20:18:29Z<p>Pravs: update the upgrade url</p>
<hr />
<div>We run decentralized and federated [https://diasporafoundation.org/ Diaspora] social netowrk, [https://xmpp.org/ XMPP] and [https://matrix.org Matrix] instant messaging services at [https://poddery.com poddery.com]. Along with Diaspora, Poddery username and password can be used to access XMPP and Matrix services as well. [https://chat.poddery.com chat.poddery.com] provides Riot client (accessed by a web browser), which can be used to connect to any Matrix server without installing a Riot app/client.<br />
<br />
= Environment =<br />
== Hosting ==<br />
Poddery is hosted at [https://www.hetzner.com Hetzner] with the following specs:<br />
<br />
* Intel Xeon E3-1246V3 Process - 4 Cores, 3.5GHz<br />
* 4TB HDD<br />
* 32GB DDR3 RAM<br />
<br />
== Operating System ==<br />
* Debian Buster<br />
<br />
== User Visible Services ==<br />
=== Diaspora ===<br />
* Currently installed version is 0.7.6.1 which is available in [https://packages.debian.org/buster/diaspora-installer Debian Buster contrib]<br />
* For live statistics see https://poddery.com/statistics<br />
<br />
=== Chat/XMPP ===<br />
* [https://prosody.im/ Prosody] is used as the XMPP server which is modern and lightweight.<br />
* Currently installed version is 0.11.2 which is available in [https://packages.debian.org/buster/prosody Debian Buster].<br />
* All XEPs are enabled which the [https://conversations.im/ Conversations app] support.<br />
<br />
=== Chat/Matrix ===<br />
* [https://matrix.org/docs/projects/server/synapse.html Synapse] is used as the Matrix server.<br />
* Synapse is currently installed directly from the [https://github.com/matrix-org/synapse official GitHub repo].<br />
* Riot-web Matrix client is hosted at https://chat.poddery.com<br />
<br />
=== Homepage ===<br />
Homepage and other static pages are maintained in FSCI [https://git.fosscommunity.in GitLab instance]. <br />
* poddery.com -> https://git.fosscommunity.in/community/poddery.com<br />
* save.poddery.com -> https://git.fosscommunity.in/community/save.poddery.com<br />
* fund.poddery.com -> https://git.fosscommunity.in/community/fund-poddery<br />
<br />
== Backend Services ==<br />
=== Web Server / Reverse Proxy ===<br />
* Nginx web server which also acts as front-end (reverse proxy) for Diaspora and Matrix.<br />
<br />
=== Database ===<br />
* PostgreSQL for Matrix<br />
* MySQL for Diaspora<br />
<br />
''TODO'': Consider migrating to PostgreSQL to optimize resources (We can reduce one service and RAM usage).<br />
<br />
=== Email ===<br />
* Exim<br />
<br />
=== SSL/TLS certificates ===<br />
* Let's Encrypt<br />
<br />
=== Firewall ===<br />
* UFW (Uncomplicated Firewall)<br />
<br />
=== Intrusion Prevention ===<br />
* Fail2ban<br />
<br />
= Coordination =<br />
* [https://www.loomio.org/g/2bjVXqAu/fosscommunity-in-poddery-com-maintainer-s-group Loomio group] - Mainly used for decision making<br />
* Matrix room - [https://matrix.to/#/#poddery:poddery.com #poddery:poddery.com]<br />
* [https://git.fosscommunity.in/community/poddery.com/issues Issue tracker] - Used for tracking progress of tasks<br />
<br />
=== Contact ===<br />
* Email: poddery at autistici.org (alias that reaches Akhilan, Abhijith Balan, Fayad, Balasankar, Julius, Praveen, Prasobh, Sruthi, Shirish, Vamsee and Manukrishnan)<br />
* The following people have their GPG keys in the [[#Server_Access|access file]]:<br />
** ID: 0xCE1F9C674512C22A - Praveen Arimbrathodiyil (piratepin)<br />
** ID: 0xB77D2E2E23735427 - Balasankar C<br />
** ID: 0x5D0064186AF037D9 - Manu Krishnan T V<br />
** ID: 0x51C954405D432381 - Fayad Fami (fayad)<br />
** ID: 0x863D4DF2ED9C28EF - Abhijith PA<br />
** ID: 0x6EF48CCD865A1FFC - Syam G Krishnan (sgk)<br />
** ID: 0xFD49D0BC6FEAECDA - Sagar Ippalpalli<br />
** ID: 0x92FDAB42A95FF20C - Pirate Bady (piratesin)<br />
** ID: 0x0B1955F40C691CCE - Kannan<br />
** ID: 0x32FF6C6F5B7AE248 - Akhil Varkey<br />
** ID: 0xFBB7061C27CB70C1 - Ranjith Siji<br />
** ID: 0xEAAFE4A8F39DE34F - Kiran S Kunjumon (hacksk)<br />
* It's recommended to setup [http://www.vim.org/scripts/script.php?script_id=3645 Vim GnuPG Plugin] for transparent editing. Those who are new to GPG can follow [https://www.madboa.com/geek/gpg-quickstart/ this guide].<br />
<br />
=== Server Access ===<br />
Maintained in a private git repo at https://git.fosscommunity.in/community/access<br />
<br />
= Configuration and Maintenance =<br />
<br />
Boot into rescue system using https://docs.hetzner.com/robot/dedicated-server/troubleshooting/hetzner-rescue-system<br />
<br />
== Disk Partitioning ==<br />
* RAID 1 setup on 2x2TB HDDs (<code>sda</code> and <code>sdb</code>).<br />
mdadm --verbose --create /dev/mdX --level=mirror --raid-devices=2 /dev/sdaY /dev/sdbY<br />
* Separate partitions for swap (<code>md0</code> - 16GB), boot (<code>md1</code> - 512MB) and root (<code>md2</code> - 50GB).<br />
* LVM on Luks for separate encrypted data partitions for database, static files and logs.<br />
# Setup LUKS (make sure <code>lvm2</code>, <code>udev</code> and <code>cryptsetup</code> packages are installed).<br />
cryptsetup luksFormat /dev/mdX<br />
# Give disk encryption password as specified in the [[#Server_Access|access repo]]<br />
cryptsetup luksOpen /dev/mdX poddery<br />
<br />
# LVM Setup<br />
# Create physical volume named <code>poddery</code><br />
pvcreate /dev/mapper/poddery<br />
# Create volume group named <code>data</code><br />
vgcreate data /dev/mapper/poddery<br />
# Create logical volumes named <code>log</code>, <code>db</code> and <code>static</code><br />
lvcreate -n log /dev/data -L 50G<br />
lvcreate -n db /dev/data -L 500G<br />
# Assign remaining free space for static files<br />
lvcreate -n static /dev/data -l 100%FREE <br />
<br />
# Setup filesystem on the logical volumes<br />
mkfs.ext4 /dev/data/log<br />
mkfs.ext4 /dev/data/db<br />
mkfs.ext4 /dev/data/static<br />
<br />
# Create directories for mounting the encrypted partitions<br />
mkdir /var/lib/db /var/lib/static /var/log/poddery<br />
<br />
# Manually mount encrypted partitions. This is needed on each reboot as Hetzner doesn't provide a web console so that we can't decrypt the partitions during booting.<br />
mount /dev/data/db /var/lib/db<br />
mount /dev/data/static /var/lib/static<br />
mount /dev/data/log /var/log/poddery<br />
<br />
== Hardening checklist ==<br />
* SSH password based login disabled (allow only key based logins)<br />
* SSH login disabled for root user (use a normal user with sudo)<br />
# Check for the following settings in /etc/ssh/sshd_config:<br />
...<br />
PermitRootLogin no<br />
...<br />
PasswordAuthentication no<br />
...<br />
<br />
* <code>ufw</code> firewall enabled with only the ports that needs to be opened ([https://fxdata.cloud/tutorials/set-up-a-firewall-with-ufw-on-ubuntu-16-04 ufw tutorial]):<br />
ufw default deny incoming<br />
ufw default allow outgoing<br />
ufw allow ssh<br />
ufw allow http/tcp<br />
ufw allow https/tcp<br />
ufw allow Turnserver<br />
ufw allow XMPP<br />
ufw allow 8448<br />
<br />
ufw enable<br />
<br />
# Verify everything is setup properly<br />
ufw status<br />
<br />
# Enable ufw logging with default mode low<br />
ufw logging on<br />
<br />
* <code>fail2ban</code> configured against brute force attacks:<br />
# Check for the following line <code>/etc/ssh/sshd_config</code><br />
...<br />
LogLevel VERBOSE<br />
...<br />
<br />
# Restart SSH and enable fail2ban<br />
systemctl restart ssh<br />
systemctl enable fail2ban<br />
systemctl start fail2ban<br />
<br />
# To unban an IP, first check <code>/var/log/fail2ban.log</code> to get the banned IP and then run the following<br />
# Here <code>sshd</code> is the defaut jail name, change it if you are using a different jail<br />
fail2ban-client set sshd unbanip <banned_ip><br />
<br />
== Diaspora ==<br />
* Install <code>diaspora-installer</code> from Debian Buster contrib:<br />
apt install diaspora-installer<br />
<br />
* Move MySQL data to encrypted partition:<br />
# Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code><br />
systemctl stop mysql<br />
systemctl disable mysql<br />
mv /var/lib/mysql /var/lib/db/<br />
ln -s /var/lib/db/mysql /var/lib/<br />
systemctl start mysql<br />
<br />
* Move static files to encrypted partition:<br />
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code><br />
mkdir /var/lib/static/diaspora<br />
mv /usr/share/diaspora/public/uploads /var/lib/static/diaspora<br />
ln -s /var/lib/static/diaspora/uploads /usr/share/diaspora/public/<br />
chown -R diaspora: /var/lib/static/diaspora<br />
<br />
* Modify configuration files at <code>/etc/diaspora</code> and <code>/etc/diaspora.conf</code> as needed (backup of the current configuration files are available in the [[#Server_Access|access repo]]).<br />
* Homepage configuration:<br />
# Make sure <code>git</code> and <code>acl</code> packages are installed<br />
# Grant <code>rwx</code> permissions for the ssh user to <code>/usr/share/diaspora/public</code><br />
setfacl -m "u:<ssh_user>:rwx" /usr/share/diaspora/public<br />
<br />
# Clone poddery.com repo<br />
cd /usr/share/diaspora/public<br />
git clone https://git.fosscommunity.in/community/poddery.com.git<br />
cd poddery.com && mv * .[^.]* .. #Give yes for all files when prompted<br />
cd .. && rmdir poddery.com<br />
<br />
* [https://save.poddery.com Save Poddery] repo is maintained as a sub module in poddery.com repo. See this [https://chrisjean.com/git-submodules-adding-using-removing-and-updating/ tutorial] for working with git submodules. <br />
# Clone save.poddery.com repo<br />
cd /usr/share/diaspora/public/save<br />
git submodule init<br />
git submodule update<br />
<br />
== Matrix ==<br />
* See the [https://github.com/matrix-org/synapse/blob/master/INSTALL.md official installation guide] of Synapse for installing from source.<br />
* Nginx is used as reverse proxy to send requests that has <code>/_matrix/*</code> in URL to Synapse on port <code>8008</code>. This is configured in <code>/etc/nginx/sites-enabled/diaspora</code>.<br />
* Shamil's [https://git.fosscommunity.in/necessary129/synapse-diaspora-auth Synapse Diaspora Auth] script is used to authenticate Synapse with Diaspora database.<br />
* Move PostgreSQL data to encrypted partition:<br />
# Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code><br />
systemctl stop postgresql<br />
systemctl disable postgresql<br />
mv /var/lib/postgres /var/lib/db/<br />
ln -s /var/lib/db/postgres /var/lib/<br />
systemctl start postgresql<br />
<br />
* Move static files to encrypted partition:<br />
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code><br />
mkdir /var/lib/static/synapse<br />
mv /var/lib/matrix-synapse/uploads /var/lib/static/synapse/<br />
ln -s /var/lib/static/synapse/uploads /var/lib/matrix-synapse/<br />
mv /var/lib/matrix-synapse/media /var/lib/static/synapse/<br />
ln -s /var/lib/static/synapse/media /var/lib/matrix-synapse/<br />
chown -R matrix-synapse: /var/lib/static/synapse<br />
<br />
* Install identity server <code>mxisd</code> (<code>deb</code> package available [https://github.com/kamax-matrix/mxisd/blob/master/docs/install/debian.md here])<br />
<br />
=== Workers ===<br />
* For scalability, Poddery is running [https://github.com/matrix-org/synapse/blob/master/docs/workers.md workers]. Currently all workers specified in that page, expect <code>synapse.app.appservice</code> is running on poddery.com<br />
* A new service [https://gist.github.com/necessary129/5dfbb140e4727496b0ad2bf801c10fdc <code>matrix-synapse@.service</code>] is installed for the workers (Save the <code>synape_worker</code> file somewhere like <code>/usr/local/bin/</code> or something).<br />
* The worker config can be found at <code>/etc/matrix-synapse/workers</code><br />
* Synapse needs to be put under a reverse proxy see <code>/etc/nginx/sites-enabled/matrix</code>. A lot of <code>/_matrix/</code> urls needs to be overridden too see <code>/etc/nginx/sites-enabled/diaspora</code><br />
* These lines must be added to <code>homeserver.yaml</code> as we are running <code>media_repository</code>, <code>federation_sender</code>, <code>pusher</code>, <code>user_dir</code> workers respectively:<br />
enable_media_repo: False<br />
send_federation: False<br />
start_pushers: False<br />
update_user_directory: false<br />
<br />
* These services must be enabled:<br />
<br />
matrix-synapse@synchrotron.service matrix-synapse@federation_reader.service matrix-synapse@event_creator.service matrix-synapse@federation_sender.service matrix-synapse@pusher.service matrix-synapse@user_dir.service matrix-synapse@media_repository.service matrix-synapse@frontend_proxy.service matrix-synapse@client_reader.service matrix-synapse@synchrotron_2.service<br />
<br />
To load balance between the 2 synchrotrons, We are running [https://github.com/Sorunome/matrix-synchrotron-balancer matrix-synchrotron-balancer]. It has a systemd file at <code>/etc/systemd/system/matrix-synchrotron-balancer</code>. The files are in <code>/opt/matrix-synchrotron-balancer</code><br />
<br />
=== Synapse Updation ===<br />
* First check [https://matrix-org.github.io/synapse/latest/upgrade synapse//latest/upgrade] to see if anything extra needs to be done. Then, just run <code>/root/upgrade-synapse</code><br />
* Current version of synapse can be found from https://poddery.com/_matrix/federation/v1/version<br />
<br />
=== Riot-web Updation === <br />
* Just run the following (make sure to replace <code><version></code> with a proper version number like <code>v1.0.0</code>):<br />
/var/www/get-riot <version><br />
<br />
== Chat/XMPP ==<br />
* Steps for setting up Prosody is given at https://wiki.debian.org/Diaspora/XMPP<br />
# Follow steps 1 to 6 from https://wiki.debian.org/Diaspora/XMPP and then run the following:<br />
mysql -u root -p # Enter password from the access repo<br />
<br />
CREATE USER 'prosody'@'localhost' IDENTIFIED BY '<passwd_in_repo>';<br />
GRANT ALL PRIVILEGES ON diaspora_production.* TO 'prosody'@'localhost';<br />
FLUSH PRIVILEGES;<br />
<br />
systemctl restart prosody<br />
<br />
* Install plugins<br />
# Make sure <code>mercurial</code> is installed<br />
cd /etc && hg clone https://hg.prosody.im/prosody-modules/ prosody-modules<br />
<br />
=== Set Nginx Conf for BOSH URLS ===<br />
* Add the following in <code>nginx</code> configuration file to enable the BOSH URL to make JSXC Working:<br />
upstream chat_cluster {<br />
server localhost:5280;<br />
}<br />
<br />
location /http-bind {<br />
proxy_set_header X-Real-IP $remote_addr;<br />
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br />
proxy_set_header Host $http_host;<br />
proxy_set_header X-Forwarded-Proto https;<br />
proxy_redirect off;<br />
proxy_connect_timeout 5;<br />
proxy_buffering off;<br />
proxy_read_timeout 70;<br />
keepalive_timeout 70;<br />
send_timeout 70;<br />
client_max_body_size 4M;<br />
client_body_buffer_size 128K;<br />
proxy_pass http://chat_cluster;<br />
}<br />
<br />
* [https://wiki.diasporafoundation.org/Integration/Chat#Nginx See here] for more details on <code>nginx</code> configuration. Alternatively, <code>apache</code> settings can be found [https://github.com/jsxc/jsxc/wiki/Prepare-apache here].<br />
<br />
== TLS ==<br />
* Install <code>letsencrypt</code>.<br />
* Ensure proper permissions are set for <code>/etc/letsencrypt</code> and its contents.<br />
chown -R root:ssl-cert /etc/letsencrypt<br />
chmod g+r -R /etc/letsencrypt<br />
chmod g+x /etc/letsencrypt/{archive,live}<br />
* Generate certificates. For more details see https://certbot.eff.org.<br />
* Make sure the certificates used by <code>diaspora</code> are symbolic links to letsencrypt default location:<br />
ls -l /etc/diaspora/ssl<br />
''total 0<br />
''lrwxrwxrwx 1 root root 47 Apr 2 22:47 poddery.com-bundle.pem -> /etc/letsencrypt/live/poddery.com/fullchain.pem''<br />
''lrwxrwxrwx 1 root root 45 Apr 2 22:48 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''<br />
<br />
# If you don't get the above output, then run the following:<br />
cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/diaspora/ssl/poddery.com-bundle.pem<br />
cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/diaspora/ssl/poddery.com.key<br />
<br />
* Make sure the certificates used by <code>prosody</code> are symbolic links to letsencrypt default location:<br />
ls -l /etc/prosody/certs/<br />
''total 0''<br />
''lrwxrwxrwx 1 root root 40 Mar 28 01:16 poddery.com.crt -> /etc/letsencrypt/live/poddery.com/fullchain.pem''<br />
''lrwxrwxrwx 1 root root 33 Mar 28 01:16 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''<br />
<br />
# If you don't get the above output, then run the following:<br />
cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/prosody/certs/poddery.com.crt<br />
cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/prosody/certs/poddery.com.key<br />
<br />
* Note- letsencrypt executable used below is actually a symlik to /usr/bin/certbot<br />
* Cron jobs:<br />
crontab -e<br />
''30 2 * * 1 letsencrypt renew >> /var/log/le-renew.log''<br />
''32 2 * * 1 /etc/init.d/nginx reload''<br />
''34 2 * * 1 /etc/init.d/prosody reload''<br />
<br />
* Manually updating TLS certificate:<br />
letsencrypt certonly --webroot --agree-tos -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save -d save.poddery.com -w /var/www/riot -d chat.poddery.com<br />
* To include an additional subdomain such as fund.poddery.com use with --expand parameter as shown below<br />
letsencrypt certonly --webroot --agree-tos --expand -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save/ -d save.poddery.com -w /var/www/riot/ -d chat.poddery.com<br />
<br />
==Backup==<br />
<br />
Backup server is provided by Manu (KVM virtual machine with 180 GB storage and 1 GB ram ). <br />
<br />
Debian Stetch was upgraded Debian Buster before database relication of synapse database. <br />
<br />
Documentation: https://www.percona.com/blog/2018/09/07/setting-up-streaming-replication-postgresql/<br />
<br />
Currently postgres database for matrix-synapse is backed up.<br />
<br />
===Before Replication (specific to poddery.com)===<br />
<br />
Setup tinc vpn in the backup server<br />
<br />
# apt install tinc<br />
<br />
Configure tinc by creating tinc.conf and host podderybackup under label fsci.<br />
Add tinc-up and tinc-down scripts<br />
Copy poddery host config to backup server and podderybackup host config to poddery.com server.<br />
<br />
Relaod tinc vpn service at both poddery.com and backup servers<br />
<br />
# systemctl reload tinc@fsci.service<br />
<br />
Enable tinc@fsci systemd service for autostart<br />
<br />
# systemctl enable tinc@fsci.service<br />
<br />
The synapse database was also pruned to reduce the size before replication by following this guide - https://levans.fr/shrink-synapse-database.html<br />
If you want to follow this guide, make sure matrix synapse server is updated to version 1.13 atleast since it introduces the Rooms API mentioned the guide.<br />
Changes done to steps in the guide.<br />
<br />
# jq '.rooms[] | select(.joined_local_members == 0) | .room_id' < roomlist.json | sed -e 's/"//g' > to_purge.txt<br />
<br />
The room list obtained this way can, be looped to pass the room names as variables to the purge api. <br />
<br />
# set +H // if you are using bash to avoid '!' in the roomname triggering the history substitution.<br />
# for room_id in $(cat to_purge.txt); do curl --header "Authorization: Bearer <your access token>" \<br />
-X POST -H "Content-Type: application/json" -d "{ \"room_id\": \"$room_id\" }" \<br />
'https://127.0.0.1:8008/_synapse/admin/v1/purge_room'; done;<br />
<br />
We also did not remove old history of large rooms.<br />
<br />
===Step 1: Postgresql (for synapse) Primary configuration===<br />
<br />
Create postgresql user for replication.<br />
<br />
$ psql -c "CREATE USER replication REPLICATION LOGIN CONNECTION LIMIT 1 ENCRYPTED PASSWORD 'yourpassword';"<br />
The password is in the access repo if you need it later.<br />
<br />
Allow standby to connect to primary using the user just created.<br />
<br />
$ cd /etc/postgresql/11/main<br />
<br />
$ nano pg_hba.conf<br />
<br />
Add below line to allow replication user to get access to the server<br />
<br />
host replication replication 172.16.0.3/32 md5<br />
<br />
Next , open the postgres configuration file<br />
<br />
nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,172.16.0.2'<br />
port=5432<br />
wal_level = replica<br />
max_wal_senders = 1<br />
wal_keep_segments = 64<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
<br />
You need to restart since postgresql.conf was edited and parameters changed,<br />
<br />
# systemctl restart postgresql<br />
<br />
===Step 2: Postgresql (for synapse) Standby configuration ===<br />
<br />
Install postgresql <br />
<br />
# apt install postgresql<br />
<br />
Check postgresql server is running<br />
<br />
# su postgres -c psql<br />
<br />
Make sure en_US.UTF-8 locale is available<br />
<br />
# dpkg-reconfigure locales<br />
<br />
Stop postgresql before changing any configuration<br />
<br />
#systemctl stop postgresql@11-main<br />
<br />
Switch to postgres user<br />
<br />
# su - postgres<br />
$ cd /etc/postgresql/11/<br />
<br />
Copy data from master and create recovery.conf<br />
<br />
$ pg_basebackup -h git.fosscommunity.in -D /var/lib/postgresql/11/main/ -P -U rep --wal-method=fetch -R<br />
<br />
Open the postgres configuration file<br />
<br />
$ nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
max_connections = 500 // This option and the one below are set to be same as in postgresql.conf at primary or the service won't start.<br />
max_worker_processes = 16<br />
host_standby = on // The above pg_basebackup command should set it. If it's not manually turn it to on.<br />
<br />
Start the stopped postgresql service<br />
<br />
# systemctl start postgresql@11-main<br />
<br />
===Postgresql (for synapse) Replication Status===<br />
<br />
On Primary,<br />
<br />
$ ps -ef | grep sender<br />
$ psql -c "select * from pg_stat_activity where usename='rep';"<br />
<br />
On Standby,<br />
<br />
$ ps -ef | grep receiver<br />
<br />
= History =<br />
* [[Poddery/Archive|See here]] for the archive of Poddery wiki page before the migration to Hetzner.<br />
<br />
[[Category:Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=Poddery_-_Diaspora,_Matrix_and_XMPP&diff=11012Poddery - Diaspora, Matrix and XMPP2021-09-19T20:07:02Z<p>Pravs: /* Synapse Updation */ link to find current version</p>
<hr />
<div>We run decentralized and federated [https://diasporafoundation.org/ Diaspora] social netowrk, [https://xmpp.org/ XMPP] and [https://matrix.org Matrix] instant messaging services at [https://poddery.com poddery.com]. Along with Diaspora, Poddery username and password can be used to access XMPP and Matrix services as well. [https://chat.poddery.com chat.poddery.com] provides Riot client (accessed by a web browser), which can be used to connect to any Matrix server without installing a Riot app/client.<br />
<br />
= Environment =<br />
== Hosting ==<br />
Poddery is hosted at [https://www.hetzner.com Hetzner] with the following specs:<br />
<br />
* Intel Xeon E3-1246V3 Process - 4 Cores, 3.5GHz<br />
* 4TB HDD<br />
* 32GB DDR3 RAM<br />
<br />
== Operating System ==<br />
* Debian Buster<br />
<br />
== User Visible Services ==<br />
=== Diaspora ===<br />
* Currently installed version is 0.7.6.1 which is available in [https://packages.debian.org/buster/diaspora-installer Debian Buster contrib]<br />
* For live statistics see https://poddery.com/statistics<br />
<br />
=== Chat/XMPP ===<br />
* [https://prosody.im/ Prosody] is used as the XMPP server which is modern and lightweight.<br />
* Currently installed version is 0.11.2 which is available in [https://packages.debian.org/buster/prosody Debian Buster].<br />
* All XEPs are enabled which the [https://conversations.im/ Conversations app] support.<br />
<br />
=== Chat/Matrix ===<br />
* [https://matrix.org/docs/projects/server/synapse.html Synapse] is used as the Matrix server.<br />
* Synapse is currently installed directly from the [https://github.com/matrix-org/synapse official GitHub repo].<br />
* Riot-web Matrix client is hosted at https://chat.poddery.com<br />
<br />
=== Homepage ===<br />
Homepage and other static pages are maintained in FSCI [https://git.fosscommunity.in GitLab instance]. <br />
* poddery.com -> https://git.fosscommunity.in/community/poddery.com<br />
* save.poddery.com -> https://git.fosscommunity.in/community/save.poddery.com<br />
* fund.poddery.com -> https://git.fosscommunity.in/community/fund-poddery<br />
<br />
== Backend Services ==<br />
=== Web Server / Reverse Proxy ===<br />
* Nginx web server which also acts as front-end (reverse proxy) for Diaspora and Matrix.<br />
<br />
=== Database ===<br />
* PostgreSQL for Matrix<br />
* MySQL for Diaspora<br />
<br />
''TODO'': Consider migrating to PostgreSQL to optimize resources (We can reduce one service and RAM usage).<br />
<br />
=== Email ===<br />
* Exim<br />
<br />
=== SSL/TLS certificates ===<br />
* Let's Encrypt<br />
<br />
=== Firewall ===<br />
* UFW (Uncomplicated Firewall)<br />
<br />
=== Intrusion Prevention ===<br />
* Fail2ban<br />
<br />
= Coordination =<br />
* [https://www.loomio.org/g/2bjVXqAu/fosscommunity-in-poddery-com-maintainer-s-group Loomio group] - Mainly used for decision making<br />
* Matrix room - [https://matrix.to/#/#poddery:poddery.com #poddery:poddery.com]<br />
* [https://git.fosscommunity.in/community/poddery.com/issues Issue tracker] - Used for tracking progress of tasks<br />
<br />
=== Contact ===<br />
* Email: poddery at autistici.org (alias that reaches Akhilan, Abhijith Balan, Fayad, Balasankar, Julius, Praveen, Prasobh, Sruthi, Shirish, Vamsee and Manukrishnan)<br />
* The following people have their GPG keys in the [[#Server_Access|access file]]:<br />
** ID: 0xCE1F9C674512C22A - Praveen Arimbrathodiyil (piratepin)<br />
** ID: 0xB77D2E2E23735427 - Balasankar C<br />
** ID: 0x5D0064186AF037D9 - Manu Krishnan T V<br />
** ID: 0x51C954405D432381 - Fayad Fami (fayad)<br />
** ID: 0x863D4DF2ED9C28EF - Abhijith PA<br />
** ID: 0x6EF48CCD865A1FFC - Syam G Krishnan (sgk)<br />
** ID: 0xFD49D0BC6FEAECDA - Sagar Ippalpalli<br />
** ID: 0x92FDAB42A95FF20C - Pirate Bady (piratesin)<br />
** ID: 0x0B1955F40C691CCE - Kannan<br />
** ID: 0x32FF6C6F5B7AE248 - Akhil Varkey<br />
** ID: 0xFBB7061C27CB70C1 - Ranjith Siji<br />
** ID: 0xEAAFE4A8F39DE34F - Kiran S Kunjumon (hacksk)<br />
* It's recommended to setup [http://www.vim.org/scripts/script.php?script_id=3645 Vim GnuPG Plugin] for transparent editing. Those who are new to GPG can follow [https://www.madboa.com/geek/gpg-quickstart/ this guide].<br />
<br />
=== Server Access ===<br />
Maintained in a private git repo at https://git.fosscommunity.in/community/access<br />
<br />
= Configuration and Maintenance =<br />
<br />
Boot into rescue system using https://docs.hetzner.com/robot/dedicated-server/troubleshooting/hetzner-rescue-system<br />
<br />
== Disk Partitioning ==<br />
* RAID 1 setup on 2x2TB HDDs (<code>sda</code> and <code>sdb</code>).<br />
mdadm --verbose --create /dev/mdX --level=mirror --raid-devices=2 /dev/sdaY /dev/sdbY<br />
* Separate partitions for swap (<code>md0</code> - 16GB), boot (<code>md1</code> - 512MB) and root (<code>md2</code> - 50GB).<br />
* LVM on Luks for separate encrypted data partitions for database, static files and logs.<br />
# Setup LUKS (make sure <code>lvm2</code>, <code>udev</code> and <code>cryptsetup</code> packages are installed).<br />
cryptsetup luksFormat /dev/mdX<br />
# Give disk encryption password as specified in the [[#Server_Access|access repo]]<br />
cryptsetup luksOpen /dev/mdX poddery<br />
<br />
# LVM Setup<br />
# Create physical volume named <code>poddery</code><br />
pvcreate /dev/mapper/poddery<br />
# Create volume group named <code>data</code><br />
vgcreate data /dev/mapper/poddery<br />
# Create logical volumes named <code>log</code>, <code>db</code> and <code>static</code><br />
lvcreate -n log /dev/data -L 50G<br />
lvcreate -n db /dev/data -L 500G<br />
# Assign remaining free space for static files<br />
lvcreate -n static /dev/data -l 100%FREE <br />
<br />
# Setup filesystem on the logical volumes<br />
mkfs.ext4 /dev/data/log<br />
mkfs.ext4 /dev/data/db<br />
mkfs.ext4 /dev/data/static<br />
<br />
# Create directories for mounting the encrypted partitions<br />
mkdir /var/lib/db /var/lib/static /var/log/poddery<br />
<br />
# Manually mount encrypted partitions. This is needed on each reboot as Hetzner doesn't provide a web console so that we can't decrypt the partitions during booting.<br />
mount /dev/data/db /var/lib/db<br />
mount /dev/data/static /var/lib/static<br />
mount /dev/data/log /var/log/poddery<br />
<br />
== Hardening checklist ==<br />
* SSH password based login disabled (allow only key based logins)<br />
* SSH login disabled for root user (use a normal user with sudo)<br />
# Check for the following settings in /etc/ssh/sshd_config:<br />
...<br />
PermitRootLogin no<br />
...<br />
PasswordAuthentication no<br />
...<br />
<br />
* <code>ufw</code> firewall enabled with only the ports that needs to be opened ([https://fxdata.cloud/tutorials/set-up-a-firewall-with-ufw-on-ubuntu-16-04 ufw tutorial]):<br />
ufw default deny incoming<br />
ufw default allow outgoing<br />
ufw allow ssh<br />
ufw allow http/tcp<br />
ufw allow https/tcp<br />
ufw allow Turnserver<br />
ufw allow XMPP<br />
ufw allow 8448<br />
<br />
ufw enable<br />
<br />
# Verify everything is setup properly<br />
ufw status<br />
<br />
# Enable ufw logging with default mode low<br />
ufw logging on<br />
<br />
* <code>fail2ban</code> configured against brute force attacks:<br />
# Check for the following line <code>/etc/ssh/sshd_config</code><br />
...<br />
LogLevel VERBOSE<br />
...<br />
<br />
# Restart SSH and enable fail2ban<br />
systemctl restart ssh<br />
systemctl enable fail2ban<br />
systemctl start fail2ban<br />
<br />
# To unban an IP, first check <code>/var/log/fail2ban.log</code> to get the banned IP and then run the following<br />
# Here <code>sshd</code> is the defaut jail name, change it if you are using a different jail<br />
fail2ban-client set sshd unbanip <banned_ip><br />
<br />
== Diaspora ==<br />
* Install <code>diaspora-installer</code> from Debian Buster contrib:<br />
apt install diaspora-installer<br />
<br />
* Move MySQL data to encrypted partition:<br />
# Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code><br />
systemctl stop mysql<br />
systemctl disable mysql<br />
mv /var/lib/mysql /var/lib/db/<br />
ln -s /var/lib/db/mysql /var/lib/<br />
systemctl start mysql<br />
<br />
* Move static files to encrypted partition:<br />
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code><br />
mkdir /var/lib/static/diaspora<br />
mv /usr/share/diaspora/public/uploads /var/lib/static/diaspora<br />
ln -s /var/lib/static/diaspora/uploads /usr/share/diaspora/public/<br />
chown -R diaspora: /var/lib/static/diaspora<br />
<br />
* Modify configuration files at <code>/etc/diaspora</code> and <code>/etc/diaspora.conf</code> as needed (backup of the current configuration files are available in the [[#Server_Access|access repo]]).<br />
* Homepage configuration:<br />
# Make sure <code>git</code> and <code>acl</code> packages are installed<br />
# Grant <code>rwx</code> permissions for the ssh user to <code>/usr/share/diaspora/public</code><br />
setfacl -m "u:<ssh_user>:rwx" /usr/share/diaspora/public<br />
<br />
# Clone poddery.com repo<br />
cd /usr/share/diaspora/public<br />
git clone https://git.fosscommunity.in/community/poddery.com.git<br />
cd poddery.com && mv * .[^.]* .. #Give yes for all files when prompted<br />
cd .. && rmdir poddery.com<br />
<br />
* [https://save.poddery.com Save Poddery] repo is maintained as a sub module in poddery.com repo. See this [https://chrisjean.com/git-submodules-adding-using-removing-and-updating/ tutorial] for working with git submodules. <br />
# Clone save.poddery.com repo<br />
cd /usr/share/diaspora/public/save<br />
git submodule init<br />
git submodule update<br />
<br />
== Matrix ==<br />
* See the [https://github.com/matrix-org/synapse/blob/master/INSTALL.md official installation guide] of Synapse for installing from source.<br />
* Nginx is used as reverse proxy to send requests that has <code>/_matrix/*</code> in URL to Synapse on port <code>8008</code>. This is configured in <code>/etc/nginx/sites-enabled/diaspora</code>.<br />
* Shamil's [https://git.fosscommunity.in/necessary129/synapse-diaspora-auth Synapse Diaspora Auth] script is used to authenticate Synapse with Diaspora database.<br />
* Move PostgreSQL data to encrypted partition:<br />
# Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code><br />
systemctl stop postgresql<br />
systemctl disable postgresql<br />
mv /var/lib/postgres /var/lib/db/<br />
ln -s /var/lib/db/postgres /var/lib/<br />
systemctl start postgresql<br />
<br />
* Move static files to encrypted partition:<br />
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code><br />
mkdir /var/lib/static/synapse<br />
mv /var/lib/matrix-synapse/uploads /var/lib/static/synapse/<br />
ln -s /var/lib/static/synapse/uploads /var/lib/matrix-synapse/<br />
mv /var/lib/matrix-synapse/media /var/lib/static/synapse/<br />
ln -s /var/lib/static/synapse/media /var/lib/matrix-synapse/<br />
chown -R matrix-synapse: /var/lib/static/synapse<br />
<br />
* Install identity server <code>mxisd</code> (<code>deb</code> package available [https://github.com/kamax-matrix/mxisd/blob/master/docs/install/debian.md here])<br />
<br />
=== Workers ===<br />
* For scalability, Poddery is running [https://github.com/matrix-org/synapse/blob/master/docs/workers.md workers]. Currently all workers specified in that page, expect <code>synapse.app.appservice</code> is running on poddery.com<br />
* A new service [https://gist.github.com/necessary129/5dfbb140e4727496b0ad2bf801c10fdc <code>matrix-synapse@.service</code>] is installed for the workers (Save the <code>synape_worker</code> file somewhere like <code>/usr/local/bin/</code> or something).<br />
* The worker config can be found at <code>/etc/matrix-synapse/workers</code><br />
* Synapse needs to be put under a reverse proxy see <code>/etc/nginx/sites-enabled/matrix</code>. A lot of <code>/_matrix/</code> urls needs to be overridden too see <code>/etc/nginx/sites-enabled/diaspora</code><br />
* These lines must be added to <code>homeserver.yaml</code> as we are running <code>media_repository</code>, <code>federation_sender</code>, <code>pusher</code>, <code>user_dir</code> workers respectively:<br />
enable_media_repo: False<br />
send_federation: False<br />
start_pushers: False<br />
update_user_directory: false<br />
<br />
* These services must be enabled:<br />
<br />
matrix-synapse@synchrotron.service matrix-synapse@federation_reader.service matrix-synapse@event_creator.service matrix-synapse@federation_sender.service matrix-synapse@pusher.service matrix-synapse@user_dir.service matrix-synapse@media_repository.service matrix-synapse@frontend_proxy.service matrix-synapse@client_reader.service matrix-synapse@synchrotron_2.service<br />
<br />
To load balance between the 2 synchrotrons, We are running [https://github.com/Sorunome/matrix-synchrotron-balancer matrix-synchrotron-balancer]. It has a systemd file at <code>/etc/systemd/system/matrix-synchrotron-balancer</code>. The files are in <code>/opt/matrix-synchrotron-balancer</code><br />
<br />
=== Synapse Updation ===<br />
* First check [https://github.com/matrix-org/synapse/blob/master/UPGRADE.rst synapse/UPGRADE.rst] to see if anything extra needs to be done. Then, just run <code>/root/upgrade-synapse</code><br />
* Current version of synapse can be found from https://poddery.com/_matrix/federation/v1/version<br />
<br />
=== Riot-web Updation === <br />
* Just run the following (make sure to replace <code><version></code> with a proper version number like <code>v1.0.0</code>):<br />
/var/www/get-riot <version><br />
<br />
== Chat/XMPP ==<br />
* Steps for setting up Prosody is given at https://wiki.debian.org/Diaspora/XMPP<br />
# Follow steps 1 to 6 from https://wiki.debian.org/Diaspora/XMPP and then run the following:<br />
mysql -u root -p # Enter password from the access repo<br />
<br />
CREATE USER 'prosody'@'localhost' IDENTIFIED BY '<passwd_in_repo>';<br />
GRANT ALL PRIVILEGES ON diaspora_production.* TO 'prosody'@'localhost';<br />
FLUSH PRIVILEGES;<br />
<br />
systemctl restart prosody<br />
<br />
* Install plugins<br />
# Make sure <code>mercurial</code> is installed<br />
cd /etc && hg clone https://hg.prosody.im/prosody-modules/ prosody-modules<br />
<br />
=== Set Nginx Conf for BOSH URLS ===<br />
* Add the following in <code>nginx</code> configuration file to enable the BOSH URL to make JSXC Working:<br />
upstream chat_cluster {<br />
server localhost:5280;<br />
}<br />
<br />
location /http-bind {<br />
proxy_set_header X-Real-IP $remote_addr;<br />
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br />
proxy_set_header Host $http_host;<br />
proxy_set_header X-Forwarded-Proto https;<br />
proxy_redirect off;<br />
proxy_connect_timeout 5;<br />
proxy_buffering off;<br />
proxy_read_timeout 70;<br />
keepalive_timeout 70;<br />
send_timeout 70;<br />
client_max_body_size 4M;<br />
client_body_buffer_size 128K;<br />
proxy_pass http://chat_cluster;<br />
}<br />
<br />
* [https://wiki.diasporafoundation.org/Integration/Chat#Nginx See here] for more details on <code>nginx</code> configuration. Alternatively, <code>apache</code> settings can be found [https://github.com/jsxc/jsxc/wiki/Prepare-apache here].<br />
<br />
== TLS ==<br />
* Install <code>letsencrypt</code>.<br />
* Ensure proper permissions are set for <code>/etc/letsencrypt</code> and its contents.<br />
chown -R root:ssl-cert /etc/letsencrypt<br />
chmod g+r -R /etc/letsencrypt<br />
chmod g+x /etc/letsencrypt/{archive,live}<br />
* Generate certificates. For more details see https://certbot.eff.org.<br />
* Make sure the certificates used by <code>diaspora</code> are symbolic links to letsencrypt default location:<br />
ls -l /etc/diaspora/ssl<br />
''total 0<br />
''lrwxrwxrwx 1 root root 47 Apr 2 22:47 poddery.com-bundle.pem -> /etc/letsencrypt/live/poddery.com/fullchain.pem''<br />
''lrwxrwxrwx 1 root root 45 Apr 2 22:48 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''<br />
<br />
# If you don't get the above output, then run the following:<br />
cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/diaspora/ssl/poddery.com-bundle.pem<br />
cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/diaspora/ssl/poddery.com.key<br />
<br />
* Make sure the certificates used by <code>prosody</code> are symbolic links to letsencrypt default location:<br />
ls -l /etc/prosody/certs/<br />
''total 0''<br />
''lrwxrwxrwx 1 root root 40 Mar 28 01:16 poddery.com.crt -> /etc/letsencrypt/live/poddery.com/fullchain.pem''<br />
''lrwxrwxrwx 1 root root 33 Mar 28 01:16 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''<br />
<br />
# If you don't get the above output, then run the following:<br />
cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/prosody/certs/poddery.com.crt<br />
cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/prosody/certs/poddery.com.key<br />
<br />
* Note- letsencrypt executable used below is actually a symlik to /usr/bin/certbot<br />
* Cron jobs:<br />
crontab -e<br />
''30 2 * * 1 letsencrypt renew >> /var/log/le-renew.log''<br />
''32 2 * * 1 /etc/init.d/nginx reload''<br />
''34 2 * * 1 /etc/init.d/prosody reload''<br />
<br />
* Manually updating TLS certificate:<br />
letsencrypt certonly --webroot --agree-tos -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save -d save.poddery.com -w /var/www/riot -d chat.poddery.com<br />
* To include an additional subdomain such as fund.poddery.com use with --expand parameter as shown below<br />
letsencrypt certonly --webroot --agree-tos --expand -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save/ -d save.poddery.com -w /var/www/riot/ -d chat.poddery.com<br />
<br />
==Backup==<br />
<br />
Backup server is provided by Manu (KVM virtual machine with 180 GB storage and 1 GB ram ). <br />
<br />
Debian Stetch was upgraded Debian Buster before database relication of synapse database. <br />
<br />
Documentation: https://www.percona.com/blog/2018/09/07/setting-up-streaming-replication-postgresql/<br />
<br />
Currently postgres database for matrix-synapse is backed up.<br />
<br />
===Before Replication (specific to poddery.com)===<br />
<br />
Setup tinc vpn in the backup server<br />
<br />
# apt install tinc<br />
<br />
Configure tinc by creating tinc.conf and host podderybackup under label fsci.<br />
Add tinc-up and tinc-down scripts<br />
Copy poddery host config to backup server and podderybackup host config to poddery.com server.<br />
<br />
Relaod tinc vpn service at both poddery.com and backup servers<br />
<br />
# systemctl reload tinc@fsci.service<br />
<br />
Enable tinc@fsci systemd service for autostart<br />
<br />
# systemctl enable tinc@fsci.service<br />
<br />
The synapse database was also pruned to reduce the size before replication by following this guide - https://levans.fr/shrink-synapse-database.html<br />
If you want to follow this guide, make sure matrix synapse server is updated to version 1.13 atleast since it introduces the Rooms API mentioned the guide.<br />
Changes done to steps in the guide.<br />
<br />
# jq '.rooms[] | select(.joined_local_members == 0) | .room_id' < roomlist.json | sed -e 's/"//g' > to_purge.txt<br />
<br />
The room list obtained this way can, be looped to pass the room names as variables to the purge api. <br />
<br />
# set +H // if you are using bash to avoid '!' in the roomname triggering the history substitution.<br />
# for room_id in $(cat to_purge.txt); do curl --header "Authorization: Bearer <your access token>" \<br />
-X POST -H "Content-Type: application/json" -d "{ \"room_id\": \"$room_id\" }" \<br />
'https://127.0.0.1:8008/_synapse/admin/v1/purge_room'; done;<br />
<br />
We also did not remove old history of large rooms.<br />
<br />
===Step 1: Postgresql (for synapse) Primary configuration===<br />
<br />
Create postgresql user for replication.<br />
<br />
$ psql -c "CREATE USER replication REPLICATION LOGIN CONNECTION LIMIT 1 ENCRYPTED PASSWORD 'yourpassword';"<br />
The password is in the access repo if you need it later.<br />
<br />
Allow standby to connect to primary using the user just created.<br />
<br />
$ cd /etc/postgresql/11/main<br />
<br />
$ nano pg_hba.conf<br />
<br />
Add below line to allow replication user to get access to the server<br />
<br />
host replication replication 172.16.0.3/32 md5<br />
<br />
Next , open the postgres configuration file<br />
<br />
nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,172.16.0.2'<br />
port=5432<br />
wal_level = replica<br />
max_wal_senders = 1<br />
wal_keep_segments = 64<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
<br />
You need to restart since postgresql.conf was edited and parameters changed,<br />
<br />
# systemctl restart postgresql<br />
<br />
===Step 2: Postgresql (for synapse) Standby configuration ===<br />
<br />
Install postgresql <br />
<br />
# apt install postgresql<br />
<br />
Check postgresql server is running<br />
<br />
# su postgres -c psql<br />
<br />
Make sure en_US.UTF-8 locale is available<br />
<br />
# dpkg-reconfigure locales<br />
<br />
Stop postgresql before changing any configuration<br />
<br />
#systemctl stop postgresql@11-main<br />
<br />
Switch to postgres user<br />
<br />
# su - postgres<br />
$ cd /etc/postgresql/11/<br />
<br />
Copy data from master and create recovery.conf<br />
<br />
$ pg_basebackup -h git.fosscommunity.in -D /var/lib/postgresql/11/main/ -P -U rep --wal-method=fetch -R<br />
<br />
Open the postgres configuration file<br />
<br />
$ nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
max_connections = 500 // This option and the one below are set to be same as in postgresql.conf at primary or the service won't start.<br />
max_worker_processes = 16<br />
host_standby = on // The above pg_basebackup command should set it. If it's not manually turn it to on.<br />
<br />
Start the stopped postgresql service<br />
<br />
# systemctl start postgresql@11-main<br />
<br />
===Postgresql (for synapse) Replication Status===<br />
<br />
On Primary,<br />
<br />
$ ps -ef | grep sender<br />
$ psql -c "select * from pg_stat_activity where usename='rep';"<br />
<br />
On Standby,<br />
<br />
$ ps -ef | grep receiver<br />
<br />
= History =<br />
* [[Poddery/Archive|See here]] for the archive of Poddery wiki page before the migration to Hetzner.<br />
<br />
[[Category:Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=Learn_Debian_Packaging&diff=11006Learn Debian Packaging2021-08-02T19:41:07Z<p>Pravs: how to install .deb file via command line is added to level 0</p>
<hr />
<div>We are guiding some learners of [https://camp.fsf.org.in Free Software Camp] to learn Debian Packaging and this page will be used to track the progress of the tasks.<br />
<br />
== Level 0: Basics of release process and setup a development environment ==<br />
* [http://www.queryadmin.com/2203/how-to-install-a-deb-file-on-debian-linux-via-command-line/ How to Install a .Deb File via Command-Line]<br />
* [https://raphaelhertzog.com/2010/10/18/understanding-debians-release-process/ Understanding Debian’s release process]<br />
* [https://backports.debian.org/Instructions/ How to install packages from stable-backports]<br />
* [https://wiki.debian.org/Packaging/Pre-Requisites Different options for setting up a Debian Sid environment]<br />
* [https://wiki.debian.org/BuildingTutorial Building existing packages from source]<br />
<br />
By this time you should be familiar with <br />
# apt source/dget, <br />
# dpkg-source -x, <br />
# dpkg-buildpackage/debuild, <br />
# apt build-dep, <br />
# apt-source -b <br />
commands to rebuild an existing debian package from source.<br />
<br />
== Level 1: Learn basics of Packaging ==<br />
<br />
Understand the basic concepts using debmake/dh_make (getting source tarballs, creating source package, building the binary package, making it lintian clean)<br />
<br />
* [https://wiki.abrahamraji.in/simple-packaging-tutorial/ Abraham Raji's simple packaging tutorial]<br />
* [https://wiki.debian.org/SimplePackagingTutorial Simple Packaging Tutorial on Debian Wiki]<br />
<br />
Once you understand the basic concepts, use npm2deb to automate some of those tasks like getting source tarball, a better debian directory template than the ones created by dh_make/debmake as npm2deb knows more details specific to node modules. You will still have to fix the remaining issues flagged by lintian.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/Tutorial npm2deb Tutorial on Debian Wiki]<br />
<br />
By this time you should know,<br />
# creating lintian clean packages for simple modules and <br />
# building it in a clean environment like sbuild. <br />
# You should also know to import a dsc file to a git repo (gbp import-dsc --pristine-tar) and <br />
# push your work to a public git hosting service like salsa.debian.org (git push -u --all --follow-tags)<br />
<br />
== Level 2: Update existing packages to new upstream minor or patch versions ==<br />
Once you get a clear picture of packaging a simple module, we can move to the next stage of updating existing packages<br />
<br />
* [https://wiki.debian.org/UpdatingaPackagetoNewUpstreamVersion Update packages to new upstream version on Debian Wiki]<br />
* [https://wiki.debian.org/UsingQuilt Using Quilt on Debian Wiki]<br />
<br />
# How to send RFS mails<br />
# Using Quilt to modify upstream source if required<br />
<br />
== Level 3: Packaging more complicated modules ==<br />
<br />
Next step is packaging more complicated modules that will involve things like, modifying some upstream files, removing some files from source tarball, generating some files from source, getting the source tarball from a git commit etc.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/AdvancedTutorial Advanced tutorial for more complicated modules]<br />
<br />
By this time you should know,<br />
# Creating patches with quilt<br />
# Repacking orig.tar and exclude specific files<br />
# Use pkg-js-tools options to build from source files<br />
# Build packages with typescript sources<br />
<br />
== Level 4: Pick an unpackaged but useful module and upload to archive ==<br />
<br />
* [https://git.fosscommunity.in/debian-ruby/TaskTracker/-/issues/175 List of node dependencies for gitlab]<br />
<br />
By this time you should know,<br />
# How to file ITP</div>Pravshttps://wiki.fsci.in/index.php?title=Learn_Debian_Packaging&diff=11005Learn Debian Packaging2021-07-01T16:33:48Z<p>Pravs: add installing from backports as a required step in level 0</p>
<hr />
<div>We are guiding some learners of [https://camp.fsf.org.in Free Software Camp] to learn Debian Packaging and this page will be used to track the progress of the tasks.<br />
<br />
== Level 0: Basics of release process and setup a development environment ==<br />
<br />
* [https://raphaelhertzog.com/2010/10/18/understanding-debians-release-process/ Understanding Debian’s release process]<br />
* [https://backports.debian.org/Instructions/ How to install packages from stable-backports]<br />
* [https://wiki.debian.org/Packaging/Pre-Requisites Different options for setting up a Debian Sid environment]<br />
* [https://wiki.debian.org/BuildingTutorial Building existing packages from source]<br />
<br />
By this time you should be familiar with <br />
# apt source/dget, <br />
# dpkg-source -x, <br />
# dpkg-buildpackage/debuild, <br />
# apt build-dep, <br />
# apt-source -b <br />
commands to rebuild an existing debian package from source.<br />
<br />
== Level 1: Learn basics of Packaging ==<br />
<br />
Understand the basic concepts using debmake/dh_make (getting source tarballs, creating source package, building the binary package, making it lintian clean)<br />
<br />
* [https://wiki.abrahamraji.in/simple-packaging-tutorial/ Abraham Raji's simple packaging tutorial]<br />
* [https://wiki.debian.org/SimplePackagingTutorial Simple Packaging Tutorial on Debian Wiki]<br />
<br />
Once you understand the basic concepts, use npm2deb to automate some of those tasks like getting source tarball, a better debian directory template than the ones created by dh_make/debmake as npm2deb knows more details specific to node modules. You will still have to fix the remaining issues flagged by lintian.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/Tutorial npm2deb Tutorial on Debian Wiki]<br />
<br />
By this time you should know,<br />
# creating lintian clean packages for simple modules and <br />
# building it in a clean environment like sbuild. <br />
# You should also know to import a dsc file to a git repo (gbp import-dsc --pristine-tar) and <br />
# push your work to a public git hosting service like salsa.debian.org (git push -u --all --follow-tags)<br />
<br />
== Level 2: Update existing packages to new upstream minor or patch versions ==<br />
Once you get a clear picture of packaging a simple module, we can move to the next stage of updating existing packages<br />
<br />
* [https://wiki.debian.org/UpdatingaPackagetoNewUpstreamVersion Update packages to new upstream version on Debian Wiki]<br />
* [https://wiki.debian.org/UsingQuilt Using Quilt on Debian Wiki]<br />
<br />
# How to send RFS mails<br />
# Using Quilt to modify upstream source if required<br />
<br />
== Level 3: Packaging more complicated modules ==<br />
<br />
Next step is packaging more complicated modules that will involve things like, modifying some upstream files, removing some files from source tarball, generating some files from source, getting the source tarball from a git commit etc.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/AdvancedTutorial Advanced tutorial for more complicated modules]<br />
<br />
By this time you should know,<br />
# Creating patches with quilt<br />
# Repacking orig.tar and exclude specific files<br />
# Use pkg-js-tools options to build from source files<br />
# Build packages with typescript sources<br />
<br />
== Level 4: Pick an unpackaged but useful module and upload to archive ==<br />
<br />
* [https://git.fosscommunity.in/debian-ruby/TaskTracker/-/issues/175 List of node dependencies for gitlab]<br />
<br />
By this time you should know,<br />
# How to file ITP</div>Pravshttps://wiki.fsci.in/index.php?title=Learn_Debian_Packaging&diff=11004Learn Debian Packaging2021-06-27T14:06:20Z<p>Pravs: add Understanding Debian’s release process to level 0</p>
<hr />
<div>We are guiding some learners of [https://camp.fsf.org.in Free Software Camp] to learn Debian Packaging and this page will be used to track the progress of the tasks.<br />
<br />
== Level 0: Basics of release process and setup a development environment ==<br />
<br />
* [https://raphaelhertzog.com/2010/10/18/understanding-debians-release-process/ Understanding Debian’s release process]<br />
* [https://wiki.debian.org/Packaging/Pre-Requisites Different options for setting up a Debian Sid environment]<br />
* [https://wiki.debian.org/BuildingTutorial Building existing packages from source]<br />
<br />
By this time you should be familiar with <br />
# apt source/dget, <br />
# dpkg-source -x, <br />
# dpkg-buildpackage/debuild, <br />
# apt build-dep, <br />
# apt-source -b <br />
commands to rebuild an existing debian package from source.<br />
<br />
== Level 1: Learn basics of Packaging ==<br />
<br />
Understand the basic concepts using debmake/dh_make (getting source tarballs, creating source package, building the binary package, making it lintian clean)<br />
<br />
* [https://wiki.abrahamraji.in/simple-packaging-tutorial/ Abraham Raji's simple packaging tutorial]<br />
* [https://wiki.debian.org/SimplePackagingTutorial Simple Packaging Tutorial on Debian Wiki]<br />
<br />
Once you understand the basic concepts, use npm2deb to automate some of those tasks like getting source tarball, a better debian directory template than the ones created by dh_make/debmake as npm2deb knows more details specific to node modules. You will still have to fix the remaining issues flagged by lintian.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/Tutorial npm2deb Tutorial on Debian Wiki]<br />
<br />
By this time you should know,<br />
# creating lintian clean packages for simple modules and <br />
# building it in a clean environment like sbuild. <br />
# You should also know to import a dsc file to a git repo (gbp import-dsc --pristine-tar) and <br />
# push your work to a public git hosting service like salsa.debian.org (git push -u --all --follow-tags)<br />
<br />
== Level 2: Update existing packages to new upstream minor or patch versions ==<br />
Once you get a clear picture of packaging a simple module, we can move to the next stage of updating existing packages<br />
<br />
* [https://wiki.debian.org/UpdatingaPackagetoNewUpstreamVersion Update packages to new upstream version on Debian Wiki]<br />
* [https://wiki.debian.org/UsingQuilt Using Quilt on Debian Wiki]<br />
<br />
# How to send RFS mails<br />
# Using Quilt to modify upstream source if required<br />
<br />
== Level 3: Packaging more complicated modules ==<br />
<br />
Next step is packaging more complicated modules that will involve things like, modifying some upstream files, removing some files from source tarball, generating some files from source, getting the source tarball from a git commit etc.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/AdvancedTutorial Advanced tutorial for more complicated modules]<br />
<br />
By this time you should know,<br />
# Creating patches with quilt<br />
# Repacking orig.tar and exclude specific files<br />
# Use pkg-js-tools options to build from source files<br />
# Build packages with typescript sources<br />
<br />
== Level 4: Pick an unpackaged but useful module and upload to archive ==<br />
<br />
* [https://git.fosscommunity.in/debian-ruby/TaskTracker/-/issues/175 List of node dependencies for gitlab]<br />
<br />
By this time you should know,<br />
# How to file ITP</div>Pravshttps://wiki.fsci.in/index.php?title=Learn_Debian_Packaging&diff=11003Learn Debian Packaging2021-06-15T16:21:18Z<p>Pravs: add another level for updating packages</p>
<hr />
<div>We are guiding some learners of [https://camp.fsf.org.in Free Software Camp] to learn Debian Packaging and this page will be used to track the progress of the tasks.<br />
<br />
== Level 0: Setting up a Debian Sid environment for packaging ==<br />
<br />
* [https://wiki.debian.org/Packaging/Pre-Requisites Different options for setting up a Debian Sid environment]<br />
* [https://wiki.debian.org/BuildingTutorial Building existing packages from source]<br />
<br />
By this time you should be familiar with <br />
# apt source/dget, <br />
# dpkg-source -x, <br />
# dpkg-buildpackage/debuild, <br />
# apt build-dep, <br />
# apt-source -b <br />
commands to rebuild an existing debian package from source.<br />
<br />
== Level 1: Learn basics of Packaging ==<br />
<br />
Understand the basic concepts using debmake/dh_make (getting source tarballs, creating source package, building the binary package, making it lintian clean)<br />
<br />
* [https://wiki.abrahamraji.in/simple-packaging-tutorial/ Abraham Raji's simple packaging tutorial]<br />
* [https://wiki.debian.org/SimplePackagingTutorial Simple Packaging Tutorial on Debian Wiki]<br />
<br />
Once you understand the basic concepts, use npm2deb to automate some of those tasks like getting source tarball, a better debian directory template than the ones created by dh_make/debmake as npm2deb knows more details specific to node modules. You will still have to fix the remaining issues flagged by lintian.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/Tutorial npm2deb Tutorial on Debian Wiki]<br />
<br />
By this time you should know,<br />
# creating lintian clean packages for simple modules and <br />
# building it in a clean environment like sbuild. <br />
# You should also know to import a dsc file to a git repo (gbp import-dsc --pristine-tar) and <br />
# push your work to a public git hosting service like salsa.debian.org (git push -u --all --follow-tags)<br />
<br />
== Level 2: Update existing packages to new upstream minor or patch versions ==<br />
Once you get a clear picture of packaging a simple module, we can move to the next stage of updating existing packages<br />
<br />
* [https://wiki.debian.org/UpdatingaPackagetoNewUpstreamVersion Update packages to new upstream version on Debian Wiki]<br />
* [https://wiki.debian.org/UsingQuilt Using Quilt on Debian Wiki]<br />
<br />
# How to send RFS mails<br />
# Using Quilt to modify upstream source if required<br />
<br />
== Level 3: Packaging more complicated modules ==<br />
<br />
Next step is packaging more complicated modules that will involve things like, modifying some upstream files, removing some files from source tarball, generating some files from source, getting the source tarball from a git commit etc.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/AdvancedTutorial Advanced tutorial for more complicated modules]<br />
<br />
By this time you should know,<br />
# Creating patches with quilt<br />
# Repacking orig.tar and exclude specific files<br />
# Use pkg-js-tools options to build from source files<br />
# Build packages with typescript sources<br />
<br />
== Level 4: Pick an unpackaged but useful module and upload to archive ==<br />
<br />
* [https://git.fosscommunity.in/debian-ruby/TaskTracker/-/issues/175 List of node dependencies for gitlab]<br />
<br />
By this time you should know,<br />
# How to file ITP</div>Pravshttps://wiki.fsci.in/index.php?title=Learn_Debian_Packaging&diff=11002Learn Debian Packaging2021-06-15T13:17:03Z<p>Pravs: add link to building existing packages from source</p>
<hr />
<div>We are guiding some learners of [https://camp.fsf.org.in Free Software Camp] to learn Debian Packaging and this page will be used to track the progress of the tasks.<br />
<br />
== Level 0: Setting up a Debian Sid environment for packaging ==<br />
<br />
* [https://wiki.debian.org/Packaging/Pre-Requisites Different options for setting up a Debian Sid environment]<br />
* [https://wiki.debian.org/BuildingTutorial Building existing packages from source]<br />
<br />
By this time you should be familiar with <br />
# apt source/dget, <br />
# dpkg-source -x, <br />
# dpkg-buildpackage/debuild, <br />
# apt build-dep, <br />
# apt-source -b <br />
commands to rebuild an existing debian package from source.<br />
<br />
== Level 1: Learn basics of Packaging ==<br />
<br />
Understand the basic concepts using debmake/dh_make (getting source tarballs, creating source package, building the binary package, making it lintian clean)<br />
<br />
* [https://wiki.abrahamraji.in/simple-packaging-tutorial/ Abraham Raji's simple packaging tutorial]<br />
* [https://wiki.debian.org/SimplePackagingTutorial Simple Packaging Tutorial on Debian Wiki]<br />
<br />
Once you understand the basic concepts, use npm2deb to automate some of those tasks like getting source tarball, a better debian directory template than the ones created by dh_make/debmake as npm2deb knows more details specific to node modules. You will still have to fix the remaining issues flagged by lintian.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/Tutorial npm2deb Tutorial on Debian Wiki]<br />
<br />
By this time you should know,<br />
# creating lintian clean packages for simple modules and <br />
# building it in a clean environment like sbuild. <br />
# You should also know to import a dsc file to a git repo (gbp import-dsc --pristine-tar) and <br />
# push your work to a public git hosting service like salsa.debian.org (git push -u --all --follow-tags)<br />
<br />
== Level 2: Packaging more complicated modules ==<br />
<br />
Once you get a clear picture of packaging a simple module, we can move to the next stage of packaging more complicated modules that will involve things like, modifying some upstream files, removing some files from source tarball, generating some files from source, getting the source tarball from a git commit etc.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/AdvancedTutorial Advanced tutorial for more complicated modules]<br />
<br />
By this time you should know,<br />
# Creating patches with quilt<br />
# Repacking orig.tar and exclude specific files<br />
# Use pkg-js-tools options to build from source files<br />
# Build packages with typescript sources<br />
<br />
== Level 3: Pick an unpackaged but useful module and upload to archive ==<br />
<br />
* [https://git.fosscommunity.in/debian-ruby/TaskTracker/-/issues/175 List of node dependencies for gitlab]<br />
<br />
By this time you should know,<br />
# How to file ITP<br />
# How to send RFS mails</div>Pravshttps://wiki.fsci.in/index.php?title=IRC&diff=11001IRC2021-06-03T16:38:19Z<p>Pravs: adding +s stops spam attacks</p>
<hr />
<div>This is a list of FOSS communities in India who has a presence on IRC<br />
<br />
{| border="1" cellpadding="2"<br />
!width="150" style="background:#ffdead;" | Name <br />
!width="150" style="background:#ffdead;" | Channel <br />
!width="180" style="background:#ffdead;" | Server(s)<br />
|- style="background:#efefef;" <br />
| FOSS Community India || #fsci || [irc://irc.oftc.net irc.oftc.net]<br />
|-<br />
| GNU India || #gnu-india || [irc://irc.freenode.net irc.freenode.net]<br />
|- style="background:#efefef;" <br />
| Linux India || ##linux-india || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Hackers India || #hackers-india || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Indlinux || #indlinux || [irc://irc.freenode.net irc.freenode.net]<br />
|- style="background:#efefef;" <br />
| Debian India || #debian-in,#debianindia || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| KDE India || #kde-in || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| GNU aka GNU/Hurd India|| #hurd.in || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Linuxchix|| #indichix || [irc://irc.linuxchix.org irc.linuxchix.org]<br />
|-<br />
| SMC Project || #smc-project || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| ILUG Cochin || #ilugkochi || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Hackerdom Thrissur || #hackerdom || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| GNU/Linux Lovers || #gnulinuxlovers || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| FOSSCell, NITC || #FOSSCell || [irc://irc.freenode.net irc.freenode.net]<br />
|}<br />
<br />
== How to use matrix as an IRC client to join #fsci ==<br />
* See [https://gist.github.com/fstab/ce805d3001600ac147b79d413668770d this guide] for freenode specific instructions<br />
<br />
# On Matrix, open a new chat (with Riot app this is the "+" sign on the bottom right)<br />
# Invite @oftc-irc:matrix.org to the new chat<br />
# Say !nick <yournick> <br />
# A request for new chat with NickServ will pop up (if not invite @_oftc_NickServ:matrix.org). Accept it.<br />
# Send "REGISTER <password> <email>" to register your nickname.<br />
# "identify <password>" can be used to authenticate (in case the bridge reconnects)<br />
<br />
== Fighting IRC spam ==<br />
<br />
The following commands should be sent to '''@oftc-irc:matrix.org''' for OFTC channels or '''@appservice-irc:matrix.org''' for Freenode channels.<br />
<br />
''Unlist the room from directory'''<br />
This effectively stops all mass spamming attacks.<br />
* From Matrix:<br />
!cmd MODE #<channel name> +s<br />
<br />
* From IRC:<br />
"/mode #<channel name> +s"<br />
<br />
1. '''Quiet all unregistered users:'''<br />
* From Matrix:<br />
"!cmd MODE #<channel name> +q $~a"<br />
<br />
* From IRC:<br />
"/mode #<channel name> +q $~a"<br />
<br />
2. '''Add Matrix users to the exemption list'''<br />
<br />
* From Matrix:<br />
<br />
** For Freenode:<br />
"!cmd MODE #<channel name> +e *!*@gateway/shell/matrix.org/*"<br />
<br />
** For OFTC:<br />
"!cmd MODE #<channel name> +e *!*@2001:470:1af1:101:*"<br />
<br />
* From IRC:<br />
<br />
** For Freenode:<br />
"/mode #<channel name> +e *!*@gateway/shell/matrix.org/*"<br />
<br />
** For OFTC:<br />
"/mode #<channel name> +e *!*@2001:470:1af1:101:*"</div>Pravshttps://wiki.fsci.in/index.php?title=MediaWiki&diff=10982MediaWiki2021-02-26T19:27:27Z<p>Pravs: add a section for TLS certificates</p>
<hr />
<div>Documentation for this media wiki instance.<br />
<br />
==Domain==<br />
<br />
See [[Domains Managed]].<br />
<br />
==Hosting==<br />
<br />
Hosting is sponsored by http://www.coolwrks.com/.<br />
<br />
==TLS certificate==<br />
<br />
TLS certificate for wiki.fsci.org.in is part of [[GitLab]] server, this is a proxy for https://fosscommunity.in. See [[GitLab]] for renewing the TLS certificates.<br />
<br />
==Admins==<br />
<br />
[[Category:Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=GitLab&diff=10981GitLab2021-02-26T19:24:32Z<p>Pravs: /* Setup */ gitlabce.tk expired</p>
<hr />
<div>Our public GitLab instance is https://git.fosscommunity.in<br />
<br />
==Hosting==<br />
<br />
Sponsored by [http://about.gitlab.com GitLab Inc]. Hosted at gandi.net in France.<br />
<br />
==Setup==<br />
<br />
Running on debian gnu/linux 10 buster with postgresql 11. Using gitlab package from http://fasttrack.debian.net<br />
<br />
Check https://wiki.debian.org/gitlab for installation/update instructions.<br />
<br />
Debian package specific documentation -> https://salsa.debian.org/ruby-team/gitlab/raw/buster-fasttrack/debian/README.Debian<br />
<br />
Letsencrypt domains:<br />
<br />
letsencrypt --expand --webroot --webroot-path /usr/share/gitlab/public -d git.fosscommunity.in -d gitlab.debian.net -d wiki.fsci.org.in -d git.fsci.org.in certonly<br />
<br />
== Mail Server Setup ==<br />
<br />
* postfix is used<br />
* SPF record is added (only a and aaaa allowed to send mails)<br />
* Reverse DNS is updated in gandi.net server ip section<br />
* Using letsencrypt certificates for tls in main.cf<br />
* Using 'inet_interfaces = 127.0.0.1' in main.cf<br />
* Configured DKIM following https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/<br />
* DMARC is set to reject<br />
<br />
==Maintenance==<br />
<br />
Maintenance discussion at [https://www.loomio.org/g/Qu3O8mSf/fosscommunity-in-git-fosscommunity-in-maintainers this loomio subgroup] and [https://matrix.to/#/#git.fosscommunity.in:matrix.org this matrix chat room]<br />
<br />
* [https://git.fosscommunity.in/community/gitlab/ team repo with access details] (private)<br />
<br />
==Gitlab QA - running tests==<br />
<br />
<Create a user account for QA><br />
<br />
<code><br />
$ sudo gem install gitlab-qa<br />
<br />
$ GITLAB_USERNAME=<username> GITLAB_PASSWORD=<password> gitlab-qa Test::Instance::Any gitlab/gitlab-ce-qa:<gitlab version> https://git.hacksk.xyz<br />
</code><br />
<br />
==Backup==<br />
<br />
Backup server is provided by Manu (KVM virtual machine with 100 GB storage and 1 GB ram). Running on debian gnu/linux 10 buster. <br />
<br />
Documentation: https://linuxhint.com/setup_postgresql_replication/ and https://www.percona.com/blog/2018/09/07/setting-up-streaming-replication-postgresql/<br />
<br />
===Slave configuration: Step 1===<br />
Install postgresql and rsync<br />
<br />
# apt-get install postgresql-contrib-11 rsync<br />
<br />
Check postgresql server is running<br />
<br />
# su postgres -c psql<br />
<br />
Make sure en_US.UTF-8 locale is available<br />
<br />
# dpkg-reconfigure locales<br />
<br />
Create ssh key for postgres user<br />
<br />
# su - postgres<br />
$ ssh-keygen -t ed25519<br />
<br />
Now copy /var/lib/postgresql/.ssh/id_ed25519.pub to master postgres users' /var/lib/postgresql/.ssh/authorized_keys<br />
<br />
Stop postgresql before changing any configuration<br />
# systemctl stop postgresql@11-main<br />
<br />
as postgres user<br />
$ su - postgres<br />
$ cd /etc/postgresql/11/main<br />
<br />
Open the postgres configuration file<br />
<br />
$ nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,192.168.0.115'<br />
port=5432<br />
wal_level = replica<br />
max_wal_senders = 1<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
hot_standby = on<br />
<br />
===Master configuration===<br />
<br />
Create and copy ssh public key to slave like above.<br />
<br />
# su - postgres<br />
$ ssh-keygen<br />
<br />
Now copy /var/lib/postgresql/.ssh/id_rsa.pub to slave postgres users' /var/lib/postgresql/.ssh/authorized_keys<br />
<br />
Create postgresql user for replication.<br />
<br />
$ psql -c "CREATE USER rep REPLICATION LOGIN CONNECTION LIMIT 1 ENCRYPTED PASSWORD 'yourpassword';"<br />
<br />
Allow slave to connect to master using the user just created.<br />
<br />
$ cd /etc/postgresql/11/main<br />
<br />
$ nano pg_hba.conf<br />
<br />
Add below line to allow rep user to get access to the server<br />
<br />
host replication rep 62.210.83.200/32 md5<br />
<br />
Next , open the postgres configuration file<br />
<br />
nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,213.167.243.152'<br />
port=5432<br />
wal_level = replica<br />
max_wal_senders = 1<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
hot_standby = on<br />
<br />
Now, to activate your changes, reload the postgresql server<br />
<br />
# systemctl reload postgresql@11-main<br />
<br />
You may need to restart it via systemd,<br />
<br />
# systemctl restart postgresql<br />
<br />
Open 5432 port in the firewall<br />
<br />
# ufw allow from 62.210.83.200 to any port 5432 proto tcp<br />
<br />
===Slave Configuration: Step 2===<br />
<br />
Copy data from master and create recovery.conf<br />
$ pg_basebackup -h git.fosscommunity.in -D /var/lib/postgresql/11/main/ -P -U rep --wal-method=fetch -R<br />
<br />
Start the slave server<br />
<br />
# systemctl start postgresql@11-main<br />
<br />
===Replication Status===<br />
<br />
On master server ,<br />
<br />
$ ps -ef | grep sender<br />
$ psql -c "select * from pg_stat_activity where usename='rep';"<br />
<br />
On slave server,<br />
<br />
$ ps -ef | grep receiver<br />
<br />
[[Category:Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=Learn_Debian_Packaging&diff=10979Learn Debian Packaging2021-01-27T12:20:37Z<p>Pravs: add more details to different levels</p>
<hr />
<div>We are guiding some learners of [https://camp.fsf.org.in Free Software Camp] to learn Debian Packaging and this page will be used to track the progress of the tasks.<br />
<br />
== Level 0: Setting up a Debian Sid environment for packaging ==<br />
<br />
* [https://wiki.debian.org/Packaging/Pre-Requisites Different options for setting up a Debian Sid environment]<br />
<br />
By this time you should be familiar with <br />
# apt source/dget, <br />
# dpkg-source -x, <br />
# dpkg-buildpackage, <br />
# apt build-dep, <br />
# apt-source -b <br />
commands to rebuild an existing debian package from source.<br />
<br />
== Level 1: Learn basics of Packaging ==<br />
<br />
Understand the basic concepts using debmake/dh_make (getting source tarballs, creating source package, building the binary package, making it lintian clean)<br />
<br />
* [https://wiki.abrahamraji.in/simple-packaging-tutorial/ Abraham Raji's simple packaging tutorial]<br />
* [https://wiki.debian.org/SimplePackagingTutorial Simple Packaging Tutorial on Debian Wiki]<br />
<br />
Once you understand the basic concepts, use npm2deb to automate some of those tasks like getting source tarball, a better debian directory template than the ones created by dh_make/debmake as npm2deb knows more details specific to node modules. You will still have to fix the remaining issues flagged by lintian.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/Tutorial npm2deb Tutorial on Debian Wiki]<br />
<br />
By this time you should know,<br />
# creating lintian clean packages for simple modules and <br />
# building it in a clean environment like sbuild. <br />
# You should also know to import a dsc file to a git repo (gbp import-dsc --pristine-tar) and <br />
# push your work to a public git hosting service like salsa.debian.org (git push -u --all --follow-tags)<br />
<br />
== Level 2: Packaging more complicated modules ==<br />
<br />
Once you get a clear picture of packaging a simple module, we can move to the next stage of packaging more complicated modules that will involve things like, modifying some upstream files, removing some files from source tarball, generating some files from source, getting the source tarball from a git commit etc.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/AdvancedTutorial Advanced tutorial for more complicated modules]<br />
<br />
By this time you should know,<br />
# Creating patches with quilt<br />
# Repacking orig.tar and exclude specific files<br />
# Use pkg-js-tools options to build from source files<br />
# Build packages with typescript sources<br />
<br />
== Level 3: Pick an unpackaged but useful module and upload to archive ==<br />
<br />
* [https://git.fosscommunity.in/debian-ruby/TaskTracker/-/issues/175 List of node dependencies for gitlab]<br />
<br />
By this time you should know,<br />
# How to file ITP<br />
# How to send RFS mails</div>Pravshttps://wiki.fsci.in/index.php?title=Learn_Debian_Packaging&diff=10978Learn Debian Packaging2021-01-27T11:49:19Z<p>Pravs: add section about unpackaged modules</p>
<hr />
<div>We are guiding some learners of [https://camp.fsf.org.in Free Software Camp] to learn Debian Packaging and this page will be used to track the progress of the tasks.<br />
<br />
== Setting up a Debian Sid environment for packaging ==<br />
<br />
* [https://wiki.debian.org/Packaging/Pre-Requisites Different options for setting up a Debian Sid environment]<br />
<br />
== Learn basics of Packaging ==<br />
<br />
Understand the basic concepts using debmake/dh_make (getting source tarballs, creating source package, building the binary package, making it lintian clean)<br />
<br />
* [https://wiki.abrahamraji.in/simple-packaging-tutorial/ Abraham Raji's simple packaging tutorial]<br />
* [https://wiki.debian.org/SimplePackagingTutorial Simple Packaging Tutorial on Debian Wiki]<br />
<br />
Once you understand the basic concepts, use npm2deb to automate some of those tasks like getting source tarball, a better debian directory template than the ones created by dh_make/debmake as npm2deb knows more details specific to node modules. You will still have to fix the remaining issues flagged by lintian.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/Tutorial npm2deb Tutorial on Debian Wiki]<br />
<br />
By this time you should know creating lintian clean packages for simple modules and building it in a clean environment like sbuild.<br />
<br />
== Packaging more complicated modules ==<br />
<br />
Once you get a clear picture of packaging a simple module, we can move to the next stage of packaging more complicated modules that will involve things like, modifying some upstream files, removing some files from source tarball, generating some files from source, getting the source tarball from a git commit etc.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/AdvancedTutorial Advanced tutorial for more complicated modules]<br />
<br />
== Pick an unpackaged but useful module and upload to archive ==<br />
<br />
* [https://git.fosscommunity.in/debian-ruby/TaskTracker/-/issues/175 List of node dependencies for gitlab]</div>Pravshttps://wiki.fsci.in/index.php?title=Learn_Debian_Packaging&diff=10976Learn Debian Packaging2021-01-27T09:58:12Z<p>Pravs: create a course outline</p>
<hr />
<div>We are guiding some learners of [https://camp.fsf.org.in|Free Software Camp] to learn Debian Packaging and this page will be used to track the progress of the tasks.<br />
<br />
== Setting up a Debian Sid environment for packaging ==<br />
<br />
* [https://wiki.debian.org/Packaging/Pre-Requisites| Different options for setting up a Debian Sid environment]<br />
<br />
== Learn basics of Packaging ==<br />
<br />
Understand the basic concepts using debmake/dh_make (getting source tarballs, creating source package, building the binary package, making it lintian clean)<br />
<br />
* [https://wiki.abrahamraji.in/simple-packaging-tutorial/|Abraham Raji's simple packaging tutorial]<br />
* [https://wiki.debian.org/SimplePackagingTutorial| Simple Packaging Tutorial on Debian Wiki]<br />
<br />
Once you understand the basic concepts, use npm2deb to automate some of those tasks like getting source tarball, a better debian directory template than the ones created by dh_make/debmake as npm2deb knows more details specific to node modules. You will still have to fix the remaining issues flagged by lintian.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/Tutorial|npm2deb Tutorial on Debian Wiki]<br />
<br />
By this time you should know creating lintian clean packages for simple modules and building it in a clean environment like sbuild.<br />
<br />
== Packaging more complicated modules ==<br />
<br />
Once you get a clear picture of packaging a simple module, we can move to the next stage of packaging more complicated modules that will involve things like, modifying some upstream files, removing some files from source tarball, generating some files from source, getting the source tarball from a git commit etc.<br />
<br />
* [https://wiki.debian.org/Javascript/Nodejs/Npm2Deb/AdvancedTutorial| Advanced tutorial for more complicated modules]</div>Pravshttps://wiki.fsci.in/index.php?title=System_Administrators_Checklist&diff=10975System Administrators Checklist2021-01-07T15:28:31Z<p>Pravs: add public key crypto article</p>
<hr />
<div>= Pre-Requisites (you need to learn yourself) =<br />
# How to install GNU/Linux - Follow https://www.debian.org/releases/stable/amd64/<br />
# Familiarity with Command Line - Follow https://ryanstutorials.net/linuxtutorial/<br />
# disk partitioning with logical volume manager - Follow https://opensource.com/business/16/9/linux-users-guide-lvm, create a virtual machine using tools like GNOME Boxes, Virt manager, Virtual Box etc. Learn about virtualization https://www.ibm.com/cloud/learn/virtualization-a-complete-guide<br />
# authenticating with ssh keys - Follow https://git.fosscommunity.in/help/ssh/README.md and https://www.redhat.com/sysadmin/configure-ssh-keygen<br />
<br />
= Basic Concepts (we will teach you) =<br />
# Public Key Cryptography https://hackernoon.com/public-key-cryptography-simply-explained-e932e3093046 (Asymmetric Key Encryption)<br />
# Let's Encrypt https://letsencrypt.org/ (Free automated TLS certificates for https)<br />
<br />
= Server basics (we will teach you) =<br />
# switching users (sudo, su)<br />
# remote access (scp, rsync, custom ssh port, mosh),<br />
# software raid<br />
# encrypted partitions/luks (using virtual machines)<br />
# firewall with ufw<br />
# postgresql replication (backup)<br />
# scheduled backups (rsync and cron)<br />
# lxc container (setup services on your local machine)<br />
# sharing passwords with gpg encrypted files<br />
# nginx basics (setup web server, add custom index page)<br />
# screen/tmux/nohup<br />
# symbolic links (ln -s)<br />
# locales<br />
# environment variables<br />
# local network configuration (/etc/hosts, ip, ss).<br />
# Starting and stopping services (systemctl)<br />
# Log file handling (tail -f, truncate, logrotate)<br />
<br />
== Switching users ==<br />
<br />
sudo or su commands can be used to run commands as different users. `sudo -u <username>` for running as different user. `su - postgres` can give you a shell as postgres user.<br />
<br />
== Remote access to machines ==<br />
<br />
#. ssh - remote shell (with ssh server on custom ports)<br />
#. scp/sftp/rsync - copy files. "Deprecating scp" - https://lwn.net/Articles/835962/<br />
#. mosh - for bad connections<br />
<br />
== Symbolic links ==<br />
<br />
Symbolic links can be used to store data in data partition without changing configuration files. For example /var/lib/postgresql can be a symbolic link to /data/postgresql where /data is a dedicated partition for storing data.<br />
<br />
== Setup correct Locales ==<br />
<br />
`dpkg-reconfigure locales` <br />
<br />
= Free Software Camp Tasks =<br />
* Setup feed2toot for fsci blog, diasp.in updates - https://git.fosscommunity.in/fsfi/camp/-/issues/36#notes<br />
* Setup backup for all services<br />
* Setup ansible for all services<br />
* Security audit and compliance across all services<br />
* Setup [https://wiki.debian.org/buildd buildd] for fasttrack - https://wiki.debian.org/BuilddSetup<br />
* Fix golang upload issues in fasttrack<br />
* Setup security tracker for fasttrack<br />
<br />
= Free Software Camp Resources =<br />
* [[Hosting_Providers_with_free_tiers_or_credits]]</div>Pravshttps://wiki.fsci.in/index.php?title=System_Administrators_Checklist&diff=10972System Administrators Checklist2020-12-23T14:14:09Z<p>Pravs: add details about virtualization</p>
<hr />
<div>= Pre-Requisites (you need to learn yourself) =<br />
# How to install GNU/Linux - Follow https://www.debian.org/releases/stable/amd64/<br />
# Familiarity with Command Line - Follow https://ryanstutorials.net/linuxtutorial/<br />
# disk partitioning with logical volume manager - Follow https://opensource.com/business/16/9/linux-users-guide-lvm, create a virtual machine using tools like GNOME Boxes, Virt manager, Virtual Box etc. Learn about virtualization https://www.ibm.com/cloud/learn/virtualization-a-complete-guide<br />
# authenticating with ssh keys - Follow https://git.fosscommunity.in/help/ssh/README.md and https://www.redhat.com/sysadmin/configure-ssh-keygen<br />
<br />
= Server basics (we will teach you) =<br />
# switching users (sudo, su)<br />
# remote access (scp, rsync, custom ssh port, mosh),<br />
# software raid<br />
# encrypted partitions/luks (using virtual machines)<br />
# firewall with ufw<br />
# postgresql replication (backup)<br />
# scheduled backups (rsync and cron)<br />
# lxc container (setup services on your local machine)<br />
# sharing passwords with gpg encrypted files<br />
# nginx basics (setup web server, add custom index page)<br />
# screen/tmux/nohup<br />
# symbolic links (ln -s)<br />
# locales<br />
# environment variables<br />
# local network configuration (/etc/hosts, ip, ss).<br />
# Starting and stopping services (systemctl)<br />
# Log file handling (tail -f, truncate, logrotate)<br />
<br />
== Switching users ==<br />
<br />
sudo or su commands can be used to run commands as different users. `sudo -u <username>` for running as different user. `su - postgres` can give you a shell as postgres user.<br />
<br />
== Remote access to machines ==<br />
<br />
#. ssh - remote shell (with ssh server on custom ports)<br />
#. scp/sftp/rsync - copy files<br />
#. mosh - for bad connections<br />
<br />
== Symbolic links ==<br />
<br />
Symbolic links can be used to store data in data partition without changing configuration files. For example /var/lib/postgresql can be a symbolic link to /data/postgresql where /data is a dedicated partition for storing data.<br />
<br />
== Setup correct Locales ==<br />
<br />
`dpkg-reconfigure locales` <br />
<br />
= Free Software Camp Tasks =<br />
* Setup feed2toot for fsci blog, diasp.in updates - https://git.fosscommunity.in/fsfi/camp/-/issues/36#notes<br />
* Setup backup for all services<br />
* Setup ansible for all services<br />
* Security audit and compliance across all services<br />
* Setup buildd for fasttrack<br />
* Fix golang upload issues in fasttrack<br />
* Setup security tracker for fasttrack<br />
<br />
= Free Software Camp Resources =<br />
* [[Hosting_Providers_with_free_tiers_or_credits]]</div>Pravshttps://wiki.fsci.in/index.php?title=System_Administrators_Checklist&diff=10971System Administrators Checklist2020-12-23T13:44:51Z<p>Pravs: add fasttrack tasks</p>
<hr />
<div>= Pre-Requisites (you need to learn yourself) =<br />
# How to install GNU/Linux - Follow https://www.debian.org/releases/stable/amd64/<br />
# Familiarity with Command Line - Follow https://ryanstutorials.net/linuxtutorial/<br />
# disk partitioning with logical volume manager - Follow https://opensource.com/business/16/9/linux-users-guide-lvm<br />
# authenticating with ssh keys - Follow https://git.fosscommunity.in/help/ssh/README.md and https://www.redhat.com/sysadmin/configure-ssh-keygen<br />
<br />
= Server basics (we will teach you) =<br />
# switching users (sudo, su)<br />
# remote access (scp, rsync, custom ssh port, mosh),<br />
# software raid<br />
# encrypted partitions/luks (using virtual machines)<br />
# firewall with ufw<br />
# postgresql replication (backup)<br />
# scheduled backups (rsync and cron)<br />
# lxc container (setup services on your local machine)<br />
# sharing passwords with gpg encrypted files<br />
# nginx basics (setup web server, add custom index page)<br />
# screen/tmux/nohup<br />
# symbolic links (ln -s)<br />
# locales<br />
# environment variables<br />
# local network configuration (/etc/hosts, ip, ss).<br />
# Starting and stopping services (systemctl)<br />
# Log file handling (tail -f, truncate, logrotate)<br />
<br />
== Switching users ==<br />
<br />
sudo or su commands can be used to run commands as different users. `sudo -u <username>` for running as different user. `su - postgres` can give you a shell as postgres user.<br />
<br />
== Remote access to machines ==<br />
<br />
#. ssh - remote shell (with ssh server on custom ports)<br />
#. scp/sftp/rsync - copy files<br />
#. mosh - for bad connections<br />
<br />
== Symbolic links ==<br />
<br />
Symbolic links can be used to store data in data partition without changing configuration files. For example /var/lib/postgresql can be a symbolic link to /data/postgresql where /data is a dedicated partition for storing data.<br />
<br />
== Setup correct Locales ==<br />
<br />
`dpkg-reconfigure locales` <br />
<br />
= Free Software Camp Tasks =<br />
* Setup feed2toot for fsci blog, diasp.in updates - https://git.fosscommunity.in/fsfi/camp/-/issues/36#notes<br />
* Setup backup for all services<br />
* Setup ansible for all services<br />
* Security audit and compliance across all services<br />
* Setup buildd for fasttrack<br />
* Fix golang upload issues in fasttrack<br />
* Setup security tracker for fasttrack<br />
<br />
= Free Software Camp Resources =<br />
* [[Hosting_Providers_with_free_tiers_or_credits]]</div>Pravshttps://wiki.fsci.in/index.php?title=System_Administrators_Checklist&diff=10970System Administrators Checklist2020-12-21T09:50:42Z<p>Pravs: /* Pre-Requisites (you need to learn yourself) */Add link to lvm tutorial</p>
<hr />
<div>= Pre-Requisites (you need to learn yourself) =<br />
# How to install GNU/Linux - Follow https://www.debian.org/releases/stable/amd64/<br />
# Familiarity with Command Line - Follow https://ryanstutorials.net/linuxtutorial/<br />
# disk partitioning with logical volume manager - Follow https://opensource.com/business/16/9/linux-users-guide-lvm<br />
# authenticating with ssh keys - Follow https://git.fosscommunity.in/help/ssh/README.md and https://www.redhat.com/sysadmin/configure-ssh-keygen<br />
<br />
= Server basics (we will teach you) =<br />
# switching users (sudo, su)<br />
# remote access (scp, rsync, custom ssh port, mosh),<br />
# software raid<br />
# encrypted partitions/luks (using virtual machines)<br />
# firewall with ufw<br />
# postgresql replication (backup)<br />
# scheduled backups (rsync and cron)<br />
# lxc container (setup services on your local machine)<br />
# sharing passwords with gpg encrypted files<br />
# nginx basics (setup web server, add custom index page)<br />
# screen/tmux/nohup<br />
# symbolic links (ln -s)<br />
# locales<br />
# environment variables<br />
# local network configuration (/etc/hosts, ip, ss).<br />
# Starting and stopping services (systemctl)<br />
# Log file handling (tail -f, truncate, logrotate)<br />
<br />
== Switching users ==<br />
<br />
sudo or su commands can be used to run commands as different users. `sudo -u <username>` for running as different user. `su - postgres` can give you a shell as postgres user.<br />
<br />
== Remote access to machines ==<br />
<br />
#. ssh - remote shell (with ssh server on custom ports)<br />
#. scp/sftp/rsync - copy files<br />
#. mosh - for bad connections<br />
<br />
== Symbolic links ==<br />
<br />
Symbolic links can be used to store data in data partition without changing configuration files. For example /var/lib/postgresql can be a symbolic link to /data/postgresql where /data is a dedicated partition for storing data.<br />
<br />
== Setup correct Locales ==<br />
<br />
`dpkg-reconfigure locales` <br />
<br />
= Free Software Camp Tasks =<br />
* Setup feed2toot for fsci blog, diasp.in updates - https://git.fosscommunity.in/fsfi/camp/-/issues/36#notes<br />
* Setup backup for all services<br />
* Setup ansible for all services<br />
* Security audit and compliance across all services<br />
<br />
= Free Software Camp Resources =<br />
* [[Hosting_Providers_with_free_tiers_or_credits]]</div>Pravshttps://wiki.fsci.in/index.php?title=System_Administrators_Checklist&diff=10969System Administrators Checklist2020-12-21T09:45:32Z<p>Pravs: /* Pre-Requisites (you need to learn yourself) */Add link for ssh key authentication</p>
<hr />
<div>= Pre-Requisites (you need to learn yourself) =<br />
# How to install GNU/Linux - Follow https://www.debian.org/releases/stable/amd64/<br />
# Familiarity with Command Line - Follow https://ryanstutorials.net/linuxtutorial/<br />
# disk partitioning with logical volume manager<br />
# authenticating with ssh keys - Follow https://git.fosscommunity.in/help/ssh/README.md and https://www.redhat.com/sysadmin/configure-ssh-keygen<br />
<br />
= Server basics (we will teach you) =<br />
# switching users (sudo, su)<br />
# remote access (scp, rsync, custom ssh port, mosh),<br />
# software raid<br />
# encrypted partitions/luks (using virtual machines)<br />
# firewall with ufw<br />
# postgresql replication (backup)<br />
# scheduled backups (rsync and cron)<br />
# lxc container (setup services on your local machine)<br />
# sharing passwords with gpg encrypted files<br />
# nginx basics (setup web server, add custom index page)<br />
# screen/tmux/nohup<br />
# symbolic links (ln -s)<br />
# locales<br />
# environment variables<br />
# local network configuration (/etc/hosts, ip, ss).<br />
# Starting and stopping services (systemctl)<br />
# Log file handling (tail -f, truncate, logrotate)<br />
<br />
== Switching users ==<br />
<br />
sudo or su commands can be used to run commands as different users. `sudo -u <username>` for running as different user. `su - postgres` can give you a shell as postgres user.<br />
<br />
== Remote access to machines ==<br />
<br />
#. ssh - remote shell (with ssh server on custom ports)<br />
#. scp/sftp/rsync - copy files<br />
#. mosh - for bad connections<br />
<br />
== Symbolic links ==<br />
<br />
Symbolic links can be used to store data in data partition without changing configuration files. For example /var/lib/postgresql can be a symbolic link to /data/postgresql where /data is a dedicated partition for storing data.<br />
<br />
== Setup correct Locales ==<br />
<br />
`dpkg-reconfigure locales` <br />
<br />
= Free Software Camp Tasks =<br />
* Setup feed2toot for fsci blog, diasp.in updates - https://git.fosscommunity.in/fsfi/camp/-/issues/36#notes<br />
* Setup backup for all services<br />
* Setup ansible for all services<br />
* Security audit and compliance across all services<br />
<br />
= Free Software Camp Resources =<br />
* [[Hosting_Providers_with_free_tiers_or_credits]]</div>Pravshttps://wiki.fsci.in/index.php?title=System_Administrators_Checklist&diff=10968System Administrators Checklist2020-12-21T09:37:19Z<p>Pravs: /* Pre-Requisites (you need to learn yourself) */Link to buster installation guide</p>
<hr />
<div>= Pre-Requisites (you need to learn yourself) =<br />
# How to install GNU/Linux - Follow https://www.debian.org/releases/stable/amd64/<br />
# Familiarity with Command Line - Follow https://ryanstutorials.net/linuxtutorial/<br />
# disk partitioning with logical volume manager<br />
# authenticating with ssh keys<br />
<br />
= Server basics (we will teach you) =<br />
# switching users (sudo, su)<br />
# remote access (scp, rsync, custom ssh port, mosh),<br />
# software raid<br />
# encrypted partitions/luks (using virtual machines)<br />
# firewall with ufw<br />
# postgresql replication (backup)<br />
# scheduled backups (rsync and cron)<br />
# lxc container (setup services on your local machine)<br />
# sharing passwords with gpg encrypted files<br />
# nginx basics (setup web server, add custom index page)<br />
# screen/tmux/nohup<br />
# symbolic links (ln -s)<br />
# locales<br />
# environment variables<br />
# local network configuration (/etc/hosts, ip, ss).<br />
# Starting and stopping services (systemctl)<br />
# Log file handling (tail -f, truncate, logrotate)<br />
<br />
== Switching users ==<br />
<br />
sudo or su commands can be used to run commands as different users. `sudo -u <username>` for running as different user. `su - postgres` can give you a shell as postgres user.<br />
<br />
== Remote access to machines ==<br />
<br />
#. ssh - remote shell (with ssh server on custom ports)<br />
#. scp/sftp/rsync - copy files<br />
#. mosh - for bad connections<br />
<br />
== Symbolic links ==<br />
<br />
Symbolic links can be used to store data in data partition without changing configuration files. For example /var/lib/postgresql can be a symbolic link to /data/postgresql where /data is a dedicated partition for storing data.<br />
<br />
== Setup correct Locales ==<br />
<br />
`dpkg-reconfigure locales` <br />
<br />
= Free Software Camp Tasks =<br />
* Setup feed2toot for fsci blog, diasp.in updates - https://git.fosscommunity.in/fsfi/camp/-/issues/36#notes<br />
* Setup backup for all services<br />
* Setup ansible for all services<br />
* Security audit and compliance across all services<br />
<br />
= Free Software Camp Resources =<br />
* [[Hosting_Providers_with_free_tiers_or_credits]]</div>Pravshttps://wiki.fsci.in/index.php?title=System_Administrators_Checklist&diff=10967System Administrators Checklist2020-12-21T09:33:40Z<p>Pravs: /* Pre-Requisites (you need to learn yourself) */Add link to command line tutorial</p>
<hr />
<div>= Pre-Requisites (you need to learn yourself) =<br />
# How to install GNU/Linux<br />
# Familiarity with Command Line - Follow https://ryanstutorials.net/linuxtutorial/<br />
# disk partitioning with logical volume manager<br />
# authenticating with ssh keys<br />
<br />
= Server basics (we will teach you) =<br />
# switching users (sudo, su)<br />
# remote access (scp, rsync, custom ssh port, mosh),<br />
# software raid<br />
# encrypted partitions/luks (using virtual machines)<br />
# firewall with ufw<br />
# postgresql replication (backup)<br />
# scheduled backups (rsync and cron)<br />
# lxc container (setup services on your local machine)<br />
# sharing passwords with gpg encrypted files<br />
# nginx basics (setup web server, add custom index page)<br />
# screen/tmux/nohup<br />
# symbolic links (ln -s)<br />
# locales<br />
# environment variables<br />
# local network configuration (/etc/hosts, ip, ss).<br />
# Starting and stopping services (systemctl)<br />
# Log file handling (tail -f, truncate, logrotate)<br />
<br />
== Switching users ==<br />
<br />
sudo or su commands can be used to run commands as different users. `sudo -u <username>` for running as different user. `su - postgres` can give you a shell as postgres user.<br />
<br />
== Remote access to machines ==<br />
<br />
#. ssh - remote shell (with ssh server on custom ports)<br />
#. scp/sftp/rsync - copy files<br />
#. mosh - for bad connections<br />
<br />
== Symbolic links ==<br />
<br />
Symbolic links can be used to store data in data partition without changing configuration files. For example /var/lib/postgresql can be a symbolic link to /data/postgresql where /data is a dedicated partition for storing data.<br />
<br />
== Setup correct Locales ==<br />
<br />
`dpkg-reconfigure locales` <br />
<br />
= Free Software Camp Tasks =<br />
* Setup feed2toot for fsci blog, diasp.in updates - https://git.fosscommunity.in/fsfi/camp/-/issues/36#notes<br />
* Setup backup for all services<br />
* Setup ansible for all services<br />
* Security audit and compliance across all services<br />
<br />
= Free Software Camp Resources =<br />
* [[Hosting_Providers_with_free_tiers_or_credits]]</div>Pravshttps://wiki.fsci.in/index.php?title=System_Administrators_Checklist&diff=10966System Administrators Checklist2020-12-20T09:03:26Z<p>Pravs: add more tasks</p>
<hr />
<div>= Pre-Requisites (you need to learn yourself) =<br />
# How to install GNU/Linux<br />
# Familiarity with Command Line<br />
# disk partitioning with logical volume manager<br />
# authenticating with ssh keys<br />
<br />
= Server basics (we will teach you) =<br />
# switching users (sudo, su)<br />
# remote access (scp, rsync, custom ssh port, mosh),<br />
# software raid<br />
# encrypted partitions/luks (using virtual machines)<br />
# firewall with ufw<br />
# postgresql replication (backup)<br />
# scheduled backups (rsync and cron)<br />
# lxc container (setup services on your local machine)<br />
# sharing passwords with gpg encrypted files<br />
# nginx basics (setup web server, add custom index page)<br />
# screen/tmux/nohup<br />
# symbolic links (ln -s)<br />
# locales<br />
# environment variables<br />
# local network configuration (/etc/hosts, ip, ss).<br />
# Starting and stopping services (systemctl)<br />
# Log file handling (tail -f, truncate, logrotate)<br />
<br />
== Switching users ==<br />
<br />
sudo or su commands can be used to run commands as different users. `sudo -u <username>` for running as different user. `su - postgres` can give you a shell as postgres user.<br />
<br />
== Remote access to machines ==<br />
<br />
#. ssh - remote shell (with ssh server on custom ports)<br />
#. scp/sftp/rsync - copy files<br />
#. mosh - for bad connections<br />
<br />
== Symbolic links ==<br />
<br />
Symbolic links can be used to store data in data partition without changing configuration files. For example /var/lib/postgresql can be a symbolic link to /data/postgresql where /data is a dedicated partition for storing data.<br />
<br />
== Setup correct Locales ==<br />
<br />
`dpkg-reconfigure locales` <br />
<br />
= Free Software Camp Tasks =<br />
* Setup feed2toot for fsci blog, diasp.in updates - https://git.fosscommunity.in/fsfi/camp/-/issues/36#notes<br />
* Setup backup for all services<br />
* Setup ansible for all services<br />
* Security audit and compliance across all services<br />
<br />
= Free Software Camp Resources =<br />
* [[Hosting_Providers_with_free_tiers_or_credits]]</div>Pravshttps://wiki.fsci.in/index.php?title=System_Administrators_Checklist&diff=10964System Administrators Checklist2020-12-14T17:04:36Z<p>Pravs: /* Server basics (we will teach you) */Add project tasks</p>
<hr />
<div>= Pre-Requisites (you need to learn yourself) =<br />
# How to install GNU/Linux<br />
# Familiarity with Command Line<br />
# disk partitioning with logical volume manager<br />
# authenticating with ssh keys<br />
<br />
= Server basics (we will teach you) =<br />
# switching users (sudo, su)<br />
# remote access (scp, rsync, custom ssh port, mosh),<br />
# software raid<br />
# encrypted partitions/luks (using virtual machines)<br />
# firewall with ufw<br />
# postgresql replication (backup)<br />
# scheduled backups (rsync and cron)<br />
# lxc container (setup services on your local machine)<br />
# sharing passwords with gpg encrypted files<br />
# nginx basics (setup web server, add custom index page)<br />
# screen/tmux/nohup<br />
# symbolic links (ln -s)<br />
# locales<br />
# environment variables<br />
# local network configuration (/etc/hosts, ip, ss).<br />
# Starting and stopping services (systemctl)<br />
# Log file handling (tail -f, truncate, logrotate)<br />
<br />
== Switching users ==<br />
<br />
sudo or su commands can be used to run commands as different users. `sudo -u <username>` for running as different user. `su - postgres` can give you a shell as postgres user.<br />
<br />
== Remote access to machines ==<br />
<br />
#. ssh - remote shell (with ssh server on custom ports)<br />
#. scp/sftp/rsync - copy files<br />
#. mosh - for bad connections<br />
<br />
== Symbolic links ==<br />
<br />
Symbolic links can be used to store data in data partition without changing configuration files. For example /var/lib/postgresql can be a symbolic link to /data/postgresql where /data is a dedicated partition for storing data.<br />
<br />
== Setup correct Locales ==<br />
<br />
`dpkg-reconfigure locales` <br />
<br />
= Free Software Camp Tasks =<br />
* Setup feed2toot for fsci blog, diasp.in updates<br />
<br />
= Free Software Camp Resources =<br />
* [[Hosting_Providers_with_free_tiers_or_credits]]</div>Pravshttps://wiki.fsci.in/index.php?title=System_Administrators_Checklist&diff=10963System Administrators Checklist2020-12-13T10:49:28Z<p>Pravs: systemctl, rsync/cron,log files added</p>
<hr />
<div>= Pre-Requisites (you need to learn yourself) =<br />
# How to install GNU/Linux<br />
# Familiarity with Command Line<br />
# disk partitioning with logical volume manager<br />
# authenticating with ssh keys<br />
<br />
= Server basics (we will teach you) =<br />
# switching users (sudo, su)<br />
# remote access (scp, rsync, custom ssh port, mosh),<br />
# software raid<br />
# encrypted partitions/luks (using virtual machines)<br />
# firewall with ufw<br />
# postgresql replication (backup)<br />
# scheduled backups (rsync and cron)<br />
# lxc container (setup services on your local machine)<br />
# sharing passwords with gpg encrypted files<br />
# nginx basics (setup web server, add custom index page)<br />
# screen/tmux/nohup<br />
# symbolic links (ln -s)<br />
# locales<br />
# environment variables<br />
# local network configuration (/etc/hosts, ip, ss).<br />
# Starting and stopping services (systemctl)<br />
# Log file handling (tail -f, truncate, logrotate)<br />
<br />
== Switching users ==<br />
<br />
sudo or su commands can be used to run commands as different users. `sudo -u <username>` for running as different user. `su - postgres` can give you a shell as postgres user.<br />
<br />
== Remote access to machines ==<br />
<br />
#. ssh - remote shell (with ssh server on custom ports)<br />
#. scp/sftp/rsync - copy files<br />
#. mosh - for bad connections<br />
<br />
== Symbolic links ==<br />
<br />
Symbolic links can be used to store data in data partition without changing configuration files. For example /var/lib/postgresql can be a symbolic link to /data/postgresql where /data is a dedicated partition for storing data.<br />
<br />
== Setup correct Locales ==<br />
<br />
`dpkg-reconfigure locales` <br />
<br />
* [[Hosting_Providers_with_free_tiers_or_credits]]</div>Pravshttps://wiki.fsci.in/index.php?title=System_Administrators_Checklist&diff=10962System Administrators Checklist2020-12-12T17:43:05Z<p>Pravs: add numbered list</p>
<hr />
<div>= Pre-Requisites (you need to learn yourself) =<br />
# How to install GNU/Linux<br />
# Familiarity with Command Line<br />
# disk partitioning with logical volume manager<br />
# authenticating with ssh keys<br />
<br />
= Server basics (we will teach you) =<br />
# switching users (sudo, su)<br />
# remote access (scp, rsync, custom ssh port, mosh),<br />
# software raid<br />
# encrypted partitions/luks (using virtual machines)<br />
# firewall with ufw<br />
# postgresql replication (backup)<br />
# lxc container (setup services on your local machine)<br />
# sharing passwords with gpg encrypted files<br />
# nginx basics (setup web server, add custom index page)<br />
# screen/tmux/nohup<br />
# symbolic links (ln -s)<br />
# locales<br />
# environment variables<br />
# local network configuration (/etc/hosts, ip, ss).<br />
<br />
== Switching users ==<br />
<br />
sudo or su commands can be used to run commands as different users. `sudo -u <username>` for running as different user. `su - postgres` can give you a shell as postgres user.<br />
<br />
== Remote access to machines ==<br />
<br />
#. ssh - remote shell (with ssh server on custom ports)<br />
#. scp/sftp/rsync - copy files<br />
#. mosh - for bad connections<br />
<br />
== Symbolic links ==<br />
<br />
Symbolic links can be used to store data in data partition without changing configuration files. For example /var/lib/postgresql can be a symbolic link to /data/postgresql where /data is a dedicated partition for storing data.<br />
<br />
== Setup correct Locales ==<br />
<br />
`dpkg-reconfigure locales` <br />
<br />
* [[Hosting_Providers_with_free_tiers_or_credits]]</div>Pravshttps://wiki.fsci.in/index.php?title=System_Administrators_Checklist&diff=10961System Administrators Checklist2020-12-12T15:02:41Z<p>Pravs: </p>
<hr />
<div>Pre-Requisites: How to install GNU/Linux, Familiarity with Command Line, disk partitioning with logical volume manager, authenticating with ssh keys<br />
<br />
Server basics (we will teach you): switching users (sudo, su), ssh key based authentication (scp, rsync, custom ssh port, mosh), software raid, encrypted partitions (using virtual machines), firewall with ufw, postgresql replication, lxc container (setup services on your local machine), sharing passwords with gpg encrypted files, nginx basic, screen/tmux/nohup, symbolic links (ln -s), locales, environment variables<br />
<br />
== Switching users ==<br />
<br />
sudo or su commands can be used to run commands as different users. `sudo -u <username>` for running as different user. `su - postgres` can give you a shell as postgres user.<br />
<br />
== Symbolic links ==<br />
<br />
Symbolic links can be used to store data in data partition without changing configuration files. For example /var/lib/postgresql can be a symbolic link to /data/postgresql where /data is a dedicated partition for storing data.<br />
<br />
== Setup correct Locales ==<br />
<br />
`dpkg-reconfigure locales` <br />
<br />
* [[Hosting_Providers_with_free_tiers_or_credits]]</div>Pravshttps://wiki.fsci.in/index.php?title=System_Administrators_Checklist&diff=10960System Administrators Checklist2020-12-12T13:18:07Z<p>Pravs: create wiki page</p>
<hr />
<div>Pre-Requisites: How to install GNU/Linux, Familiarity with Command Line, disk partitioning with logical volume manager, authenticating with ssh keys<br />
<br />
Server basics (we will teach you): switching users (sudo, su), ssh key based authentication (scp, rsync, custom ssh port, mosh), software raid, encrypted partitions (using virtual machines), firewall with ufw, postgresql replication, lxc container (setup services on your local machine), sharing passwords with gpg encrypted files, nginx basic, screen/tmux/nohup<br />
<br />
* [[Hosting_Providers_with_free_tiers_or_credits]]</div>Pravshttps://wiki.fsci.in/index.php?title=Poddery_-_Diaspora,_Matrix_and_XMPP&diff=10935Poddery - Diaspora, Matrix and XMPP2020-09-19T15:48:13Z<p>Pravs: add mention about rescue mode</p>
<hr />
<div>We run decentralized and federated [https://diasporafoundation.org/ Diaspora] social netowrk, [https://xmpp.org/ XMPP] and [https://matrix.org Matrix] instant messaging services at [https://poddery.com poddery.com]. Along with Diaspora, Poddery username and password can be used to access XMPP and Matrix services as well. [https://chat.poddery.com chat.poddery.com] provides Riot client (accessed by a web browser), which can be used to connect to any Matrix server without installing a Riot app/client.<br />
<br />
= Environment =<br />
== Hosting ==<br />
Poddery is hosted at [https://www.hetzner.com Hetzner] with the following specs:<br />
<br />
* Intel Xeon E3-1246V3 Process - 4 Cores, 3.5GHz<br />
* 4TB HDD<br />
* 32GB DDR3 RAM<br />
<br />
== Operating System ==<br />
* Debian Buster<br />
<br />
== User Visible Services ==<br />
=== Diaspora ===<br />
* Currently installed version is 0.7.6.1 which is available in [https://packages.debian.org/buster/diaspora-installer Debian Buster contrib]<br />
* For live statistics see https://poddery.com/statistics<br />
<br />
=== Chat/XMPP ===<br />
* [https://prosody.im/ Prosody] is used as the XMPP server which is modern and lightweight.<br />
* Currently installed version is 0.11.2 which is available in [https://packages.debian.org/buster/prosody Debian Buster].<br />
* All XEPs are enabled which the [https://conversations.im/ Conversations app] support.<br />
<br />
=== Chat/Matrix ===<br />
* [https://matrix.org/docs/projects/server/synapse.html Synapse] is used as the Matrix server.<br />
* Synapse is currently installed directly from the [https://github.com/matrix-org/synapse official GitHub repo].<br />
* Riot-web Matrix client is hosted at https://chat.poddery.com<br />
<br />
=== Homepage ===<br />
Homepage and other static pages are maintained in FSCI [https://git.fosscommunity.in GitLab instance]. <br />
* poddery.com -> https://git.fosscommunity.in/community/poddery.com<br />
* save.poddery.com -> https://git.fosscommunity.in/community/save.poddery.com<br />
* fund.poddery.com -> https://git.fosscommunity.in/community/fund-poddery<br />
<br />
== Backend Services ==<br />
=== Web Server / Reverse Proxy ===<br />
* Nginx web server which also acts as front-end (reverse proxy) for Diaspora and Matrix.<br />
<br />
=== Database ===<br />
* PostgreSQL for Matrix<br />
* MySQL for Diaspora<br />
<br />
''TODO'': Consider migrating to PostgreSQL to optimize resources (We can reduce one service and RAM usage).<br />
<br />
=== Email ===<br />
* Exim<br />
<br />
=== SSL/TLS certificates ===<br />
* Let's Encrypt<br />
<br />
=== Firewall ===<br />
* UFW (Uncomplicated Firewall)<br />
<br />
=== Intrusion Prevention ===<br />
* Fail2ban<br />
<br />
= Coordination =<br />
* [https://www.loomio.org/g/2bjVXqAu/fosscommunity-in-poddery-com-maintainer-s-group Loomio group] - Mainly used for decision making<br />
* Matrix room - [https://matrix.to/#/#poddery:poddery.com #poddery:poddery.com]<br />
* [https://git.fosscommunity.in/community/poddery.com/issues Issue tracker] - Used for tracking progress of tasks<br />
<br />
=== Contact ===<br />
* Email: poddery at autistici.org (alias that reaches Akhilan, Abhijith Balan, Fayad, Balasankar, Julius, Praveen, Prasobh, Sruthi, Shirish, Vamsee and Manukrishnan)<br />
* The following people have their GPG keys in the [[#Server_Access|access file]]:<br />
** ID: 0xCE1F9C674512C22A - Praveen Arimbrathodiyil (piratepin)<br />
** ID: 0xB77D2E2E23735427 - Balasankar C<br />
** ID: 0x5D0064186AF037D9 - Manu Krishnan T V<br />
** ID: 0x51C954405D432381 - Fayad Fami (fayad)<br />
** ID: 0x863D4DF2ED9C28EF - Abhijith PA<br />
** ID: 0x6EF48CCD865A1FFC - Syam G Krishnan (sgk)<br />
** ID: 0xFD49D0BC6FEAECDA - Sagar Ippalpalli<br />
** ID: 0x92FDAB42A95FF20C - Pirate Bady (piratesin)<br />
** ID: 0x0B1955F40C691CCE - Kannan<br />
** ID: 0x32FF6C6F5B7AE248 - Akhil Varkey<br />
** ID: 0xFBB7061C27CB70C1 - Ranjith Siji<br />
** ID: 0xEAAFE4A8F39DE34F - Kiran S Kunjumon (hacksk)<br />
* It's recommended to setup [http://www.vim.org/scripts/script.php?script_id=3645 Vim GnuPG Plugin] for transparent editing. Those who are new to GPG can follow [https://www.madboa.com/geek/gpg-quickstart/ this guide].<br />
<br />
=== Server Access ===<br />
Maintained in a private git repo at https://git.fosscommunity.in/community/access<br />
<br />
= Configuration and Maintenance =<br />
<br />
Boot into rescue system using https://docs.hetzner.com/robot/dedicated-server/troubleshooting/hetzner-rescue-system<br />
<br />
== Disk Partitioning ==<br />
* RAID 1 setup on 2x2TB HDDs (<code>sda</code> and <code>sdb</code>).<br />
mdadm --verbose --create /dev/mdX --level=mirror --raid-devices=2 /dev/sdaY /dev/sdbY<br />
* Separate partitions for swap (<code>md0</code> - 16GB), boot (<code>md1</code> - 512MB) and root (<code>md2</code> - 50GB).<br />
* LVM on Luks for separate encrypted data partitions for database, static files and logs.<br />
# Setup LUKS (make sure <code>lvm2</code>, <code>udev</code> and <code>cryptsetup</code> packages are installed).<br />
cryptsetup luksFormat /dev/mdX<br />
# Give disk encryption password as specified in the [[#Server_Access|access repo]]<br />
cryptsetup luksOpen /dev/mdX poddery<br />
<br />
# LVM Setup<br />
# Create physical volume named <code>poddery</code><br />
pvcreate /dev/mapper/poddery<br />
# Create volume group named <code>data</code><br />
vgcreate data /dev/mapper/poddery<br />
# Create logical volumes named <code>log</code>, <code>db</code> and <code>static</code><br />
lvcreate -n log /dev/data -L 50G<br />
lvcreate -n db /dev/data -L 500G<br />
# Assign remaining free space for static files<br />
lvcreate -n static /dev/data -l 100%FREE <br />
<br />
# Setup filesystem on the logical volumes<br />
mkfs.ext4 /dev/data/log<br />
mkfs.ext4 /dev/data/db<br />
mkfs.ext4 /dev/data/static<br />
<br />
# Create directories for mounting the encrypted partitions<br />
mkdir /var/lib/db /var/lib/static /var/log/poddery<br />
<br />
# Manually mount encrypted partitions. This is needed on each reboot as Hetzner doesn't provide a web console so that we can't decrypt the partitions during booting.<br />
mount /dev/data/db /var/lib/db<br />
mount /dev/data/static /var/lib/static<br />
mount /dev/data/log /var/log/poddery<br />
<br />
== Hardening checklist ==<br />
* SSH password based login disabled (allow only key based logins)<br />
* SSH login disabled for root user (use a normal user with sudo)<br />
# Check for the following settings in /etc/ssh/sshd_config:<br />
...<br />
PermitRootLogin no<br />
...<br />
PasswordAuthentication no<br />
...<br />
<br />
* <code>ufw</code> firewall enabled with only the ports that needs to be opened ([https://fxdata.cloud/tutorials/set-up-a-firewall-with-ufw-on-ubuntu-16-04 ufw tutorial]):<br />
ufw default deny incoming<br />
ufw default allow outgoing<br />
ufw allow ssh<br />
ufw allow http/tcp<br />
ufw allow https/tcp<br />
ufw allow Turnserver<br />
ufw allow XMPP<br />
ufw allow 8448<br />
<br />
ufw enable<br />
<br />
# Verify everything is setup properly<br />
ufw status<br />
<br />
# Enable ufw logging with default mode low<br />
ufw logging on<br />
<br />
* <code>fail2ban</code> configured against brute force attacks:<br />
# Check for the following line <code>/etc/ssh/sshd_config</code><br />
...<br />
LogLevel VERBOSE<br />
...<br />
<br />
# Restart SSH and enable fail2ban<br />
systemctl restart ssh<br />
systemctl enable fail2ban<br />
systemctl start fail2ban<br />
<br />
# To unban an IP, first check <code>/var/log/fail2ban.log</code> to get the banned IP and then run the following<br />
# Here <code>sshd</code> is the defaut jail name, change it if you are using a different jail<br />
fail2ban-client set sshd unbanip <banned_ip><br />
<br />
== Diaspora ==<br />
* Install <code>diaspora-installer</code> from Debian Buster contrib:<br />
apt install diaspora-installer<br />
<br />
* Move MySQL data to encrypted partition:<br />
# Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code><br />
systemctl stop mysql<br />
systemctl disable mysql<br />
mv /var/lib/mysql /var/lib/db/<br />
ln -s /var/lib/db/mysql /var/lib/<br />
systemctl start mysql<br />
<br />
* Move static files to encrypted partition:<br />
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code><br />
mkdir /var/lib/static/diaspora<br />
mv /usr/share/diaspora/public/uploads /var/lib/static/diaspora<br />
ln -s /var/lib/static/diaspora/uploads /usr/share/diaspora/public/<br />
chown -R diaspora: /var/lib/static/diaspora<br />
<br />
* Modify configuration files at <code>/etc/diaspora</code> and <code>/etc/diaspora.conf</code> as needed (backup of the current configuration files are available in the [[#Server_Access|access repo]]).<br />
* Homepage configuration:<br />
# Make sure <code>git</code> and <code>acl</code> packages are installed<br />
# Grant <code>rwx</code> permissions for the ssh user to <code>/usr/share/diaspora/public</code><br />
setfacl -m "u:<ssh_user>:rwx" /usr/share/diaspora/public<br />
<br />
# Clone poddery.com repo<br />
cd /usr/share/diaspora/public<br />
git clone https://git.fosscommunity.in/community/poddery.com.git<br />
cd poddery.com && mv * .[^.]* .. #Give yes for all files when prompted<br />
cd .. && rmdir poddery.com<br />
<br />
* [https://save.poddery.com Save Poddery] repo is maintained as a sub module in poddery.com repo. See this [https://chrisjean.com/git-submodules-adding-using-removing-and-updating/ tutorial] for working with git submodules. <br />
# Clone save.poddery.com repo<br />
cd /usr/share/diaspora/public/save<br />
git submodule init<br />
git submodule update<br />
<br />
== Matrix ==<br />
* See the [https://github.com/matrix-org/synapse/blob/master/INSTALL.md official installation guide] of Synapse for installing from source.<br />
* Nginx is used as reverse proxy to send requests that has <code>/_matrix/*</code> in URL to Synapse on port <code>8008</code>. This is configured in <code>/etc/nginx/sites-enabled/diaspora</code>.<br />
* Shamil's [https://git.fosscommunity.in/necessary129/synapse-diaspora-auth Synapse Diaspora Auth] script is used to authenticate Synapse with Diaspora database.<br />
* Move PostgreSQL data to encrypted partition:<br />
# Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code><br />
systemctl stop postgresql<br />
systemctl disable postgresql<br />
mv /var/lib/postgres /var/lib/db/<br />
ln -s /var/lib/db/postgres /var/lib/<br />
systemctl start postgresql<br />
<br />
* Move static files to encrypted partition:<br />
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code><br />
mkdir /var/lib/static/synapse<br />
mv /var/lib/matrix-synapse/uploads /var/lib/static/synapse/<br />
ln -s /var/lib/static/synapse/uploads /var/lib/matrix-synapse/<br />
mv /var/lib/matrix-synapse/media /var/lib/static/synapse/<br />
ln -s /var/lib/static/synapse/media /var/lib/matrix-synapse/<br />
chown -R matrix-synapse: /var/lib/static/synapse<br />
<br />
* Install identity server <code>mxisd</code> (<code>deb</code> package available [https://github.com/kamax-matrix/mxisd/blob/master/docs/install/debian.md here])<br />
<br />
=== Workers ===<br />
* For scalability, Poddery is running [https://github.com/matrix-org/synapse/blob/master/docs/workers.rst workers]. Currently all workers specified in that page, expect <code>synapse.app.appservice</code> is running on poddery.com<br />
* A new service [https://gist.github.com/necessary129/5dfbb140e4727496b0ad2bf801c10fdc <code>matrix-synapse@.service</code>] is installed for the workers (Save the <code>synape_worker</code> file somewhere like <code>/usr/local/bin/</code> or something).<br />
* The worker config can be found at <code>/etc/matrix-synapse/workers</code><br />
* Synapse needs to be put under a reverse proxy see <code>/etc/nginx/sites-enabled/matrix</code>. A lot of <code>/_matrix/</code> urls needs to be overridden too see <code>/etc/nginx/sites-enabled/diaspora</code><br />
* These lines must be added to <code>homeserver.yaml</code> as we are running <code>media_repository</code>, <code>federation_sender</code>, <code>pusher</code>, <code>user_dir</code> workers respectively:<br />
enable_media_repo: False<br />
send_federation: False<br />
start_pushers: False<br />
update_user_directory: false<br />
<br />
* These services must be enabled:<br />
<br />
matrix-synapse@synchrotron.service matrix-synapse@federation_reader.service matrix-synapse@event_creator.service matrix-synapse@federation_sender.service matrix-synapse@pusher.service matrix-synapse@user_dir.service matrix-synapse@media_repository.service matrix-synapse@frontend_proxy.service matrix-synapse@client_reader.service matrix-synapse@synchrotron_2.service<br />
<br />
To load balance between the 2 synchrotrons, We are running [https://github.com/Sorunome/matrix-synchrotron-balancer matrix-synchrotron-balancer]. It has a systemd file at <code>/etc/systemd/system/matrix-synchrotron-balancer</code>. The files are in <code>/opt/matrix-synchrotron-balancer</code><br />
<br />
=== Synapse Updation ===<br />
* First check [https://github.com/matrix-org/synapse/blob/master/UPGRADE.rst synapse/UPGRADE.rst] to see if anything extra needs to be done. Then, just run <code>/root/upgrade-synapse</code><br />
<br />
=== Riot-web Updation === <br />
* Just run the following (make sure to replace <code><version></code> with a proper version number like <code>v1.0.0</code>):<br />
/var/www/get-riot <version><br />
<br />
== Chat/XMPP ==<br />
* Steps for setting up Prosody is given at https://wiki.debian.org/Diaspora/XMPP<br />
# Follow steps 1 to 6 from https://wiki.debian.org/Diaspora/XMPP and then run the following:<br />
mysql -u root -p # Enter password from the access repo<br />
<br />
CREATE USER 'prosody'@'localhost' IDENTIFIED BY '<passwd_in_repo>';<br />
GRANT ALL PRIVILEGES ON diaspora_production.* TO 'prosody'@'localhost';<br />
FLUSH PRIVILEGES;<br />
<br />
systemctl restart prosody<br />
<br />
* Install plugins<br />
# Make sure <code>mercurial</code> is installed<br />
cd /etc && hg clone https://hg.prosody.im/prosody-modules/ prosody-modules<br />
<br />
=== Set Nginx Conf for BOSH URLS ===<br />
* Add the following in <code>nginx</code> configuration file to enable the BOSH URL to make JSXC Working:<br />
upstream chat_cluster {<br />
server localhost:5280;<br />
}<br />
<br />
location /http-bind {<br />
proxy_set_header X-Real-IP $remote_addr;<br />
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br />
proxy_set_header Host $http_host;<br />
proxy_set_header X-Forwarded-Proto https;<br />
proxy_redirect off;<br />
proxy_connect_timeout 5;<br />
proxy_buffering off;<br />
proxy_read_timeout 70;<br />
keepalive_timeout 70;<br />
send_timeout 70;<br />
client_max_body_size 4M;<br />
client_body_buffer_size 128K;<br />
proxy_pass http://chat_cluster;<br />
}<br />
<br />
* [https://wiki.diasporafoundation.org/Integration/Chat#Nginx See here] for more details on <code>nginx</code> configuration. Alternatively, <code>apache</code> settings can be found [https://github.com/jsxc/jsxc/wiki/Prepare-apache here].<br />
<br />
== TLS ==<br />
* Install <code>letsencrypt</code>.<br />
* Ensure proper permissions are set for <code>/etc/letsencrypt</code> and its contents.<br />
chown -R root:ssl-cert /etc/letsencrypt<br />
chmod g+r -R /etc/letsencrypt<br />
chmod g+x /etc/letsencrypt/{archive,live}<br />
* Generate certificates. For more details see https://certbot.eff.org.<br />
* Make sure the certificates used by <code>diaspora</code> are symbolic links to letsencrypt default location:<br />
ls -l /etc/diaspora/ssl<br />
''total 0<br />
''lrwxrwxrwx 1 root root 47 Apr 2 22:47 poddery.com-bundle.pem -> /etc/letsencrypt/live/poddery.com/fullchain.pem''<br />
''lrwxrwxrwx 1 root root 45 Apr 2 22:48 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''<br />
<br />
# If you don't get the above output, then run the following:<br />
cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/diaspora/ssl/poddery.com-bundle.pem<br />
cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/diaspora/ssl/poddery.com.key<br />
<br />
* Make sure the certificates used by <code>prosody</code> are symbolic links to letsencrypt default location:<br />
ls -l /etc/prosody/certs/<br />
''total 0''<br />
''lrwxrwxrwx 1 root root 40 Mar 28 01:16 poddery.com.crt -> /etc/letsencrypt/live/poddery.com/fullchain.pem''<br />
''lrwxrwxrwx 1 root root 33 Mar 28 01:16 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''<br />
<br />
# If you don't get the above output, then run the following:<br />
cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/prosody/certs/poddery.com.crt<br />
cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/prosody/certs/poddery.com.key<br />
<br />
* Note- letsencrypt executable used below is actually a symlik to /usr/bin/certbot<br />
* Cron jobs:<br />
crontab -e<br />
''30 2 * * 1 letsencrypt renew >> /var/log/le-renew.log''<br />
''32 2 * * 1 /etc/init.d/nginx reload''<br />
''34 2 * * 1 /etc/init.d/prosody reload''<br />
<br />
* Manually updating TLS certificate:<br />
letsencrypt certonly --webroot --agree-tos -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save -d save.poddery.com -w /var/www/riot -d chat.poddery.com<br />
* To include an additional subdomain such as fund.poddery.com use with --expand parameter as shown below<br />
letsencrypt certonly --webroot --agree-tos --expand -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save/ -d save.poddery.com -w /var/www/riot/ -d chat.poddery.com<br />
<br />
==Backup==<br />
<br />
Backup server is provided by Manu (KVM virtual machine with 180 GB storage and 1 GB ram ). <br />
<br />
Debian Stetch was upgraded Debian Buster before database relication of synapse database. <br />
<br />
Documentation: https://www.percona.com/blog/2018/09/07/setting-up-streaming-replication-postgresql/<br />
<br />
Currently postgres database for matrix-synapse is backed up.<br />
<br />
===Before Replication (specific to poddery.com)===<br />
<br />
Setup tinc vpn in the backup server<br />
<br />
# apt install tinc<br />
<br />
Configure tinc by creating tinc.conf and host podderybackup under label fsci.<br />
Add tinc-up and tinc-down scripts<br />
Copy poddery host config to backup server and podderybackup host config to poddery.com server.<br />
<br />
Relaod tinc vpn service at both poddery.com and backup servers<br />
<br />
# systemctl reload tinc@fsci.service<br />
<br />
Enable tinc@fsci systemd service for autostart<br />
<br />
# systemctl enable tinc@fsci.service<br />
<br />
The synapse database was also pruned to reduce the size before replication by following this guide - https://levans.fr/shrink-synapse-database.html<br />
If you want to follow this guide, make sure matrix synapse server is updated to version 1.13 atleast since it introduces the Rooms API mentioned the guide.<br />
Changes done to steps in the guide.<br />
<br />
# jq '.rooms[] | select(.joined_local_members == 0) | .room_id' < roomlist.json | sed -e 's/"//g' > to_purge.txt<br />
<br />
The room list obtained this way can, be looped to pass the room names as variables to the purge api. <br />
<br />
# set +H // if you are using bash to avoid '!' in the roomname triggering the history substitution.<br />
# for room_id in $(cat to_purge.txt); do curl --header "Authorization: Bearer <your access token>" \<br />
-X POST -H "Content-Type: application/json" -d "{ \"room_id\": \"$room_id\" }" \<br />
'https://127.0.0.1:8008/_synapse/admin/v1/purge_room'; done;<br />
<br />
We also did not remove old history of large rooms.<br />
<br />
===Step 1: Postgresql (for synapse) Primary configuration===<br />
<br />
Create postgresql user for replication.<br />
<br />
$ psql -c "CREATE USER replication REPLICATION LOGIN CONNECTION LIMIT 1 ENCRYPTED PASSWORD 'yourpassword';"<br />
The password is in the access repo if you need it later.<br />
<br />
Allow standby to connect to primary using the user just created.<br />
<br />
$ cd /etc/postgresql/11/main<br />
<br />
$ nano pg_hba.conf<br />
<br />
Add below line to allow replication user to get access to the server<br />
<br />
host replication replication 172.16.0.3/32 md5<br />
<br />
Next , open the postgres configuration file<br />
<br />
nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,172.16.0.2'<br />
port=5432<br />
wal_level = replica<br />
max_wal_senders = 1<br />
wal_keep_segments = 64<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
<br />
You need to restart since postgresql.conf was edited and parameters changed,<br />
<br />
# systemctl restart postgresql<br />
<br />
===Step 2: Postgresql (for synapse) Standby configuration ===<br />
<br />
Install postgresql <br />
<br />
# apt install postgresql<br />
<br />
Check postgresql server is running<br />
<br />
# su postgres -c psql<br />
<br />
Make sure en_US.UTF-8 locale is available<br />
<br />
# dpkg-reconfigure locales<br />
<br />
Stop postgresql before changing any configuration<br />
<br />
#systemctl stop postgresql@11-main<br />
<br />
Switch to postgres user<br />
<br />
# su - postgres<br />
$ cd /etc/postgresql/11/<br />
<br />
Copy data from master and create recovery.conf<br />
<br />
$ pg_basebackup -h git.fosscommunity.in -D /var/lib/postgresql/11/main/ -P -U rep --wal-method=fetch -R<br />
<br />
Open the postgres configuration file<br />
<br />
$ nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
max_connections = 500 // This option and the one below are set to be same as in postgresql.conf at primary or the service won't start.<br />
max_worker_processes = 16<br />
host_standby = on // The above pg_basebackup command should set it. If it's not manually turn it to on.<br />
<br />
Start the stopped postgresql service<br />
<br />
# systemctl start postgresql@11-main<br />
<br />
===Postgresql (for synapse) Replication Status===<br />
<br />
On Primary,<br />
<br />
$ ps -ef | grep sender<br />
$ psql -c "select * from pg_stat_activity where usename='rep';"<br />
<br />
On Standby,<br />
<br />
$ ps -ef | grep receiver<br />
<br />
= History =<br />
* [[Poddery/Archive|See here]] for the archive of Poddery wiki page before the migration to Hetzner.<br />
<br />
[[Category:Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=Mailing_list&diff=10888Mailing list2020-08-01T04:24:02Z<p>Pravs: add more dkim validator services</p>
<hr />
<div><br />
Mailing lists are very useful communication and coordination tool. FSCI provides mailing lists to Free Libre Open Source (FLOSS) groups and non profit organizations. If you want to open a new public list, please drop a mail at [mailto:postmaster@lists.fsci.org.in postmaster(at)lists.fsci.org.in].<br />
<br />
= Environment =<br />
== Machine Summary ==<br />
We are on [https://www.scaleway.com/virtual-cloud-servers scaleway] virtual cloud server.<br />
<br />
{|<br />
| * Cores||: 2 x86 cores <br />
|-<br />
| * Memory||: 2GB<br />
|-<br />
|* Disk||: 50GB<br />
|-<br />
|* OS||: Debian GNU/Linux<br />
|-<br />
|* Web Server||: Nginx<br />
|-<br />
|* List manager||: Mailman3<br />
|-<br />
|* Host name||: [https://lists.fsci.org.in lists.fsci.org.in]<br />
|}<br />
= Coordination =<br />
<br />
* Hangout with us in our Matrix room [https://matrix.to/#/#mailman:poddery.com #mailman:poddery.com]<br />
* [https://git.fosscommunity.in/community/lists.fsci.org.in/issues issue tracker] - we use this to track progress of tasks<br />
<br />
== Admins ==<br />
<br />
Abhijith PA, Prinz Piuz, Balasankar C <br />
<br />
== Admin Documentation ==<br />
<br />
== Verify DKIM and other settings for new domains ==<br />
<br />
Create a text file, dkim-test.txt (replace To address with random address generated by https://dkimvalidator.com or https://www.mail-tester.com/)<br />
<br />
From: "Test" <test-dkim@mm.gnu.org.in><br />
To: <random-address>@dkimvalidator.com<br />
Subject: Testing DKIM and other settings for this domain<br />
Content-Type: text/plain; charset=utf-8<br />
Content-Transfer-Encoding: 8bit<br />
<br />
This email is to test email settings for a domain is correct<br />
<br />
and use sendmail command to send it<br />
<br />
/usr/sbin/sendmail -t < dkim-test.txt<br />
<br />
----<br />
<br />
[[Category: Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=Mailing_list&diff=10887Mailing list2020-08-01T03:53:50Z<p>Pravs: add dkim validator test documentation</p>
<hr />
<div><br />
Mailing lists are very useful communication and coordination tool. FSCI provides mailing lists to Free Libre Open Source (FLOSS) groups and non profit organizations. If you want to open a new public list, please drop a mail at [mailto:postmaster@lists.fsci.org.in postmaster(at)lists.fsci.org.in].<br />
<br />
= Environment =<br />
== Machine Summary ==<br />
We are on [https://www.scaleway.com/virtual-cloud-servers scaleway] virtual cloud server.<br />
<br />
{|<br />
| * Cores||: 2 x86 cores <br />
|-<br />
| * Memory||: 2GB<br />
|-<br />
|* Disk||: 50GB<br />
|-<br />
|* OS||: Debian GNU/Linux<br />
|-<br />
|* Web Server||: Nginx<br />
|-<br />
|* List manager||: Mailman3<br />
|-<br />
|* Host name||: [https://lists.fsci.org.in lists.fsci.org.in]<br />
|}<br />
= Coordination =<br />
<br />
* Hangout with us in our Matrix room [https://matrix.to/#/#mailman:poddery.com #mailman:poddery.com]<br />
* [https://git.fosscommunity.in/community/lists.fsci.org.in/issues issue tracker] - we use this to track progress of tasks<br />
<br />
== Admins ==<br />
<br />
Abhijith PA, Prinz Piuz, Balasankar C <br />
<br />
== Admin Documentation ==<br />
<br />
== Verify DKIM and other settings for new domains ==<br />
<br />
Create a text file, dkim-test.txt (replace To address with random address generated by https://dkimvalidator.com)<br />
<br />
From: "Test" <test-dkim@mm.gnu.org.in><br />
To: <random-address>@dkimvalidator.com<br />
Subject: Testing DKIM and other settings for this domain<br />
Content-Type: text/plain; charset=utf-8<br />
Content-Transfer-Encoding: 8bit<br />
<br />
This email is to test email settings for a domain is correct<br />
<br />
and use sendmail command to send it<br />
<br />
/usr/sbin/sendmail -t < dkim-test.txt<br />
<br />
----<br />
<br />
[[Category: Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=Discourse/Archive&diff=10870Discourse/Archive2020-04-19T12:41:00Z<p>Pravs: Add Forum to name</p>
<hr />
<div>India OS Forum - https://forum.indiaos.in - Maintained by Zerodha and Frappe Technologies<br />
<br />
[[Category:Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=GitLab&diff=10868GitLab2020-03-06T17:17:17Z<p>Pravs: </p>
<hr />
<div>Our public GitLab instance is https://git.fosscommunity.in<br />
<br />
==Hosting==<br />
<br />
Sponsored by [http://about.gitlab.com GitLab Inc]. Hosted at gandi.net in France.<br />
<br />
==Setup==<br />
<br />
Running on debian gnu/linux 10 buster with postgresql 11. Using gitlab package from http://fasttrack.debian.net<br />
<br />
Check https://wiki.debian.org/gitlab for installation/update instructions.<br />
<br />
Debian package specific documentation -> https://salsa.debian.org/ruby-team/gitlab/raw/buster-fasttrack/debian/README.Debian<br />
<br />
Letsencrypt domains:<br />
<br />
letsencrypt --expand --webroot --webroot-path /usr/share/gitlab/public -d git.fosscommunity.in -d gitlabce.tk -d gitlab.debian.net -d wiki.fsci.org.in -d git.fsci.org.in certonly<br />
<br />
== Mail Server Setup ==<br />
<br />
* postfix is used<br />
* SPF record is added (only a and aaaa allowed to send mails)<br />
* Reverse DNS is updated in gandi.net server ip section<br />
* Using letsencrypt certificates for tls in main.cf<br />
* Using 'inet_interfaces = 127.0.0.1' in main.cf<br />
* Configured DKIM following https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/<br />
* DMARC is set to reject<br />
<br />
==Maintenance==<br />
<br />
Maintenance discussion at [https://www.loomio.org/g/Qu3O8mSf/fosscommunity-in-git-fosscommunity-in-maintainers this loomio subgroup] and [https://matrix.to/#/#git.fosscommunity.in:matrix.org this matrix chat room]<br />
<br />
* [https://git.fosscommunity.in/community/gitlab/ team repo with access details] (private)<br />
<br />
==Gitlab QA - running tests==<br />
<br />
<Create a user account for QA><br />
<br />
<code><br />
$ sudo gem install gitlab-qa<br />
<br />
$ GITLAB_USERNAME=<username> GITLAB_PASSWORD=<password> gitlab-qa Test::Instance::Any gitlab/gitlab-ce-qa:<gitlab version> https://git.hacksk.xyz<br />
</code><br />
<br />
==Backup==<br />
<br />
Backup server is provided by Manu (KVM virtual machine with 100 GB storage and 1 GB ram). Running on debian gnu/linux 10 buster. <br />
<br />
Documentation: https://linuxhint.com/setup_postgresql_replication/ and https://www.percona.com/blog/2018/09/07/setting-up-streaming-replication-postgresql/<br />
<br />
===Slave configuration: Step 1===<br />
Install postgresql and rsync<br />
<br />
# apt-get install postgresql-contrib-11 rsync<br />
<br />
Check postgresql server is running<br />
<br />
# su postgres -c psql<br />
<br />
Make sure en_US.UTF-8 locale is available<br />
<br />
# dpkg-reconfigure locales<br />
<br />
Create ssh key for postgres user<br />
<br />
# su - postgres<br />
$ ssh-keygen -t ed25519<br />
<br />
Now copy /var/lib/postgresql/.ssh/id_ed25519.pub to master postgres users' /var/lib/postgresql/.ssh/authorized_keys<br />
<br />
Stop postgresql before changing any configuration<br />
# systemctl stop postgresql@11-main<br />
<br />
as postgres user<br />
$ su - postgres<br />
$ cd /etc/postgresql/11/main<br />
<br />
Open the postgres configuration file<br />
<br />
$ nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,192.168.0.115'<br />
port=5432<br />
wal_level = replica<br />
max_wal_senders = 1<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
hot_standby = on<br />
<br />
===Master configuration===<br />
<br />
Create and copy ssh public key to slave like above.<br />
<br />
# su - postgres<br />
$ ssh-keygen<br />
<br />
Now copy /var/lib/postgresql/.ssh/id_rsa.pub to slave postgres users' /var/lib/postgresql/.ssh/authorized_keys<br />
<br />
Create postgresql user for replication.<br />
<br />
$ psql -c "CREATE USER rep REPLICATION LOGIN CONNECTION LIMIT 1 ENCRYPTED PASSWORD 'yourpassword';"<br />
<br />
Allow slave to connect to master using the user just created.<br />
<br />
$ cd /etc/postgresql/11/main<br />
<br />
$ nano pg_hba.conf<br />
<br />
Add below line to allow rep user to get access to the server<br />
<br />
host replication rep 62.210.83.200/32 md5<br />
<br />
Next , open the postgres configuration file<br />
<br />
nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,213.167.243.152'<br />
port=5432<br />
wal_level = replica<br />
max_wal_senders = 1<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
hot_standby = on<br />
<br />
Now, to activate your changes, reload the postgresql server<br />
<br />
# systemctl reload postgresql@11-main<br />
<br />
You may need to restart it via systemd,<br />
<br />
# systemctl restart postgresql<br />
<br />
Open 5432 port in the firewall<br />
<br />
# ufw allow from 62.210.83.200 to any port 5432 proto tcp<br />
<br />
===Slave Configuration: Step 2===<br />
<br />
Copy data from master and create recovery.conf<br />
$ pg_basebackup -h git.fosscommunity.in -D /var/lib/postgresql/11/main/ -P -U rep --wal-method=fetch -R<br />
<br />
Start the slave server<br />
<br />
# systemctl start postgresql@11-main<br />
<br />
===Replication Status===<br />
<br />
On master server ,<br />
<br />
$ ps -ef | grep sender<br />
$ psql -c "select * from pg_stat_activity where usename='rep';"<br />
<br />
On slave server,<br />
<br />
$ ps -ef | grep receiver<br />
<br />
[[Category:Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=GitLab&diff=10867GitLab2020-03-06T17:14:12Z<p>Pravs: </p>
<hr />
<div>Our public GitLab instance is https://git.fosscommunity.in<br />
<br />
==Hosting==<br />
<br />
Sponsored by [http://about.gitlab.com GitLab Inc]. Hosted at gandi.net in France.<br />
<br />
==Setup==<br />
<br />
Running on debian gnu/linux 10 buster with postgresql 11. Using gitlab package from http://fasttrack.debian.net<br />
<br />
Check https://wiki.debian.org/gitlab for installation/update instructions.<br />
<br />
Debian package specific documentation -> https://salsa.debian.org/ruby-team/gitlab/raw/buster-fasttrack/debian/README.Debian<br />
<br />
Letsencrypt domains:<br />
<br />
letsencrypt --expand --webroot --webroot-path /usr/share/gitlab/public -d git.fosscommunity.in -d gitlabce.tk -d gitlab.debian.net -d wiki.fsci.org.in -d git.fsci.org.in certonly<br />
<br />
== Mail Server Setup ==<br />
<br />
* postfix is used<br />
* SPF record is added (only a and aaaa allowed to send mails)<br />
* Reverse DNS is updated in gandi.net server ip section<br />
* Using letsencrypt certificates for tls in main.cf<br />
* Using 'inet_interfaces = 127.0.0.1' in main.cf<br />
* Configured DKIM following https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/<br />
* DMARC is set to reject<br />
<br />
==Maintenance==<br />
<br />
Maintenance discussion at [https://www.loomio.org/g/Qu3O8mSf/fosscommunity-in-git-fosscommunity-in-maintainers this loomio subgroup] and [https://matrix.to/#/#git.fosscommunity.in:matrix.org this matrix chat room]<br />
<br />
* [https://git.fosscommunity.in/community/gitlab/ team repo with access details] (private)<br />
<br />
==Gitlab QA - running tests==<br />
<br />
<Create a user account for QA><br />
<br />
<code><br />
$ sudo gem install gitlab-qa<br />
<br />
$ GITLAB_USERNAME=<username> GITLAB_PASSWORD=<password> gitlab-qa Test::Instance::Any gitlab/gitlab-ce-qa:<gitlab version> https://git.hacksk.xyz<br />
</code><br />
<br />
==Backup==<br />
<br />
Backup server is provided by Manu (KVM virtual machine with 100 GB storage and 1 GB ram). Running on debian gnu/linux 10 buster. <br />
<br />
Documentation: https://linuxhint.com/setup_postgresql_replication/ and https://www.percona.com/blog/2018/09/07/setting-up-streaming-replication-postgresql/<br />
<br />
===Slave configuration: Step 1===<br />
Install postgresql and rsync<br />
<br />
# apt-get install postgresql-contrib-11 rsync<br />
<br />
Check postgresql server is running<br />
<br />
# su postgres -c psql<br />
<br />
Make sure en_US.UTF-8 locale is available<br />
<br />
# dpkg-reconfigure locales<br />
<br />
Create ssh key for postgres user<br />
<br />
# su - postgres<br />
$ ssh-keygen -t ed25519<br />
<br />
Now copy /var/lib/postgresql/.ssh/id_ed25519.pub to master postgres users' /var/lib/postgresql/.ssh/authorized_keys<br />
<br />
Stop postgresql before changing any configuration<br />
# systemctl stop postgresql@11-main<br />
<br />
as postgres user<br />
$ su - postgres<br />
$ cd /etc/postgresql/11/main<br />
<br />
Open the postgres configuration file<br />
<br />
$ nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,192.168.0.115'<br />
port=5432<br />
wal_level = replica<br />
max_wal_senders = 1<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
hot_standby = on<br />
<br />
===Master configuration===<br />
<br />
Create and copy ssh public key to slave like above.<br />
<br />
# su - postgres<br />
$ ssh-keygen<br />
<br />
Now copy /var/lib/postgresql/.ssh/id_rsa.pub to slave postgres users' /var/lib/postgresql/.ssh/authorized_keys<br />
<br />
Create postgresql user for replication.<br />
<br />
$ psql -c "CREATE USER rep REPLICATION LOGIN CONNECTION LIMIT 1 ENCRYPTED PASSWORD 'yourpassword';"<br />
<br />
Allow slave to connect to master using the user just created.<br />
<br />
$ cd /etc/postgresql/11/main<br />
<br />
$ nano pg_hba.conf<br />
<br />
Add below line to allow rep user to get access to the server<br />
<br />
host replication rep 62.210.83.200/32 md5<br />
<br />
Next , open the postgres configuration file<br />
<br />
nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,213.167.243.152'<br />
port=5432<br />
wal_level = replica<br />
max_wal_senders = 1<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
hot_standby = on<br />
<br />
Now, to activate your changes, reload the postgresql server<br />
<br />
# systemctl reload postgresql@11-main<br />
<br />
You may need to restart it via systemd,<br />
<br />
# systemctl restart postgresql<br />
<br />
Open 5432 port in the firewall<br />
<br />
# ufw allow from 62.210.83.200 to any port 5432 proto tcp<br />
<br />
===Slave Configuration: Step 2===<br />
<br />
Copy data from master and create recovery.conf<br />
$ pg_basebackup -h git.fosscommunity.in -D /var/lib/postgresql/11/main/ -P -U rep --wal-method=fetch -R<br />
<br />
Start the slave server<br />
<br />
# systemctl start postgresql@11-main<br />
<br />
===Replication Status===<br />
<br />
On master server ,<br />
<br />
$ ps -ef | grep sender<br />
On slave server,<br />
<br />
$ ps -ef | grep receiver<br />
<br />
[[Category:Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=GitLab&diff=10866GitLab2020-03-06T13:05:47Z<p>Pravs: /* Backup */ update for postgresql 11</p>
<hr />
<div>Our public GitLab instance is https://git.fosscommunity.in<br />
<br />
==Hosting==<br />
<br />
Sponsored by [http://about.gitlab.com GitLab Inc]. Hosted at gandi.net in France.<br />
<br />
==Setup==<br />
<br />
Running on debian gnu/linux 10 buster with postgresql 11. Using gitlab package from http://fasttrack.debian.net<br />
<br />
Check https://wiki.debian.org/gitlab for installation/update instructions.<br />
<br />
Debian package specific documentation -> https://salsa.debian.org/ruby-team/gitlab/raw/buster-fasttrack/debian/README.Debian<br />
<br />
Letsencrypt domains:<br />
<br />
letsencrypt --expand --webroot --webroot-path /usr/share/gitlab/public -d git.fosscommunity.in -d gitlabce.tk -d gitlab.debian.net -d wiki.fsci.org.in -d git.fsci.org.in certonly<br />
<br />
== Mail Server Setup ==<br />
<br />
* postfix is used<br />
* SPF record is added (only a and aaaa allowed to send mails)<br />
* Reverse DNS is updated in gandi.net server ip section<br />
* Using letsencrypt certificates for tls in main.cf<br />
* Using 'inet_interfaces = 127.0.0.1' in main.cf<br />
* Configured DKIM following https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/<br />
* DMARC is set to reject<br />
<br />
==Maintenance==<br />
<br />
Maintenance discussion at [https://www.loomio.org/g/Qu3O8mSf/fosscommunity-in-git-fosscommunity-in-maintainers this loomio subgroup] and [https://matrix.to/#/#git.fosscommunity.in:matrix.org this matrix chat room]<br />
<br />
* [https://git.fosscommunity.in/community/gitlab/ team repo with access details] (private)<br />
<br />
==Gitlab QA - running tests==<br />
<br />
<Create a user account for QA><br />
<br />
<code><br />
$ sudo gem install gitlab-qa<br />
<br />
$ GITLAB_USERNAME=<username> GITLAB_PASSWORD=<password> gitlab-qa Test::Instance::Any gitlab/gitlab-ce-qa:<gitlab version> https://git.hacksk.xyz<br />
</code><br />
<br />
==Backup==<br />
<br />
Backup server is provided by Manu (KVM virtual machine with 100 GB storage and 1 GB ram). Running on debian gnu/linux 10 buster. <br />
<br />
Documentation: https://linuxhint.com/setup_postgresql_replication/<br />
<br />
===Slave configuration: Step 1===<br />
Install postgresql and rsync<br />
<br />
# apt-get install postgresql-contrib-11 rsync<br />
<br />
Check postgresql server is running<br />
<br />
# su postgres -c psql<br />
<br />
Make sure en_US.UTF-8 locale is available<br />
<br />
# dpkg-reconfigure locales<br />
<br />
Create ssh key for postgres user<br />
<br />
# su - postgres<br />
$ ssh-keygen -t ed25519<br />
<br />
Now copy /var/lib/postgresql/.ssh/id_ed25519.pub to master postgres users' /var/lib/postgresql/.ssh/authorized_keys<br />
<br />
Stop postgresql before changing any configuration<br />
# systemctl stop postgresql@11-main<br />
<br />
as postgres user<br />
$ su - postgres<br />
$ cd /etc/postgresql/11/main<br />
<br />
Open the postgres configuration file<br />
<br />
$ nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,192.168.0.115'<br />
port=5432<br />
wal_level = replica<br />
max_wal_senders = 1<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
hot_standby = on<br />
<br />
===Master configuration===<br />
<br />
Create and copy ssh public key to slave like above.<br />
<br />
# su - postgres<br />
$ ssh-keygen<br />
<br />
Now copy /var/lib/postgresql/.ssh/id_rsa.pub to slave postgres users' /var/lib/postgresql/.ssh/authorized_keys<br />
<br />
Create postgresql user for replication.<br />
<br />
$ psql -c "CREATE USER rep REPLICATION LOGIN CONNECTION LIMIT 1 ENCRYPTED PASSWORD 'yourpassword';"<br />
<br />
Allow slave to connect to master using the user just created.<br />
<br />
$ cd /etc/postgresql/11/main<br />
<br />
$ nano pg_hba.conf<br />
<br />
Add below line to allow rep user to get access to the server<br />
<br />
host replication rep 62.210.83.200/32 md5<br />
<br />
Next , open the postgres configuration file<br />
<br />
nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,213.167.243.152'<br />
port=5432<br />
wal_level = replica<br />
max_wal_senders = 1<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
hot_standby = on<br />
<br />
Now, to activate your changes, reload the postgresql server<br />
<br />
# systemctl reload postgresql@11-main<br />
<br />
You may need to restart it via systemd,<br />
<br />
# systemctl restart postgresql<br />
<br />
Start the backup process,<br />
<br />
psql -c "select pg_start_backup('initial_backup');"<br />
rsync -cva -e 'ssh -p 12022' --inplace --exclude=*pg_xlog* /var/lib/postgresql/11/main/ 62.210.83.200:/var/lib/postgresql/11/main/<br />
psql -c "select pg_stop_backup();"<br />
<br />
Open 5432 port in the firewall<br />
<br />
# ufw allow from 62.210.83.200 to any port 5432 proto tcp<br />
<br />
===Slave Configuration: Step 2===<br />
Create a recovery file called recovery.conf and add following lines.<br />
standby_mode = 'on'<br />
primary_conninfo = 'host=213.167.243.152 port=5432 user=rep password=yourpassword'<br />
trigger_file = '/tmp/postgresql.trigger.5432'<br />
<br />
Start the slave server<br />
<br />
# systemctl start postgresql@11-main<br />
<br />
===Replication Status===<br />
<br />
On master server ,<br />
<br />
$ ps -ef | grep sender<br />
On slave server,<br />
<br />
$ ps -ef | grep receiver<br />
<br />
[[Category:Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=GitLab&diff=10865GitLab2020-03-06T09:25:12Z<p>Pravs: update gitlab setup section</p>
<hr />
<div>Our public GitLab instance is https://git.fosscommunity.in<br />
<br />
==Hosting==<br />
<br />
Sponsored by [http://about.gitlab.com GitLab Inc]. Hosted at gandi.net in France.<br />
<br />
==Setup==<br />
<br />
Running on debian gnu/linux 10 buster with postgresql 11. Using gitlab package from http://fasttrack.debian.net<br />
<br />
Check https://wiki.debian.org/gitlab for installation/update instructions.<br />
<br />
Debian package specific documentation -> https://salsa.debian.org/ruby-team/gitlab/raw/buster-fasttrack/debian/README.Debian<br />
<br />
Letsencrypt domains:<br />
<br />
letsencrypt --expand --webroot --webroot-path /usr/share/gitlab/public -d git.fosscommunity.in -d gitlabce.tk -d gitlab.debian.net -d wiki.fsci.org.in -d git.fsci.org.in certonly<br />
<br />
== Mail Server Setup ==<br />
<br />
* postfix is used<br />
* SPF record is added (only a and aaaa allowed to send mails)<br />
* Reverse DNS is updated in gandi.net server ip section<br />
* Using letsencrypt certificates for tls in main.cf<br />
* Using 'inet_interfaces = 127.0.0.1' in main.cf<br />
* Configured DKIM following https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/<br />
* DMARC is set to reject<br />
<br />
==Maintenance==<br />
<br />
Maintenance discussion at [https://www.loomio.org/g/Qu3O8mSf/fosscommunity-in-git-fosscommunity-in-maintainers this loomio subgroup] and [https://matrix.to/#/#git.fosscommunity.in:matrix.org this matrix chat room]<br />
<br />
* [https://git.fosscommunity.in/community/gitlab/ team repo with access details] (private)<br />
<br />
==Gitlab QA - running tests==<br />
<br />
<Create a user account for QA><br />
<br />
<code><br />
$ sudo gem install gitlab-qa<br />
<br />
$ GITLAB_USERNAME=<username> GITLAB_PASSWORD=<password> gitlab-qa Test::Instance::Any gitlab/gitlab-ce-qa:<gitlab version> https://git.hacksk.xyz<br />
</code><br />
<br />
==Backup==<br />
<br />
Backup server is provided by Manu. Running on debian gnu/linux 9 stretch.<br />
<br />
===Slave configuration: Step 1===<br />
Install postgresql and rsync<br />
<br />
# apt-get install postgresql-contrib-9.6 rsync<br />
<br />
Make sure en_US.UTF-8 locale is available<br />
<br />
# dpkg-reconfigure locales<br />
<br />
Create ssh key for postgres user<br />
<br />
# su - postgres<br />
$ ssh-keygen<br />
<br />
Now copy /var/lib/postgresql/.ssh/id_rsa.pub to master postgres users' /var/lib/postgresql/.ssh/authorized_keys<br />
<br />
Stop postgresql before changing any configuration<br />
$ pg_ctlcluster 9.6 main stop<br />
<br />
cd /etc/postgresql/9.6/main<br />
<br />
Open the postgres configuration file<br />
<br />
nano postgresql.conf<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,192.168.0.115'<br />
port=5432<br />
wal_level = 'hot_standby'<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
max_wal_senders = 1<br />
hot_standby = on<br />
<br />
===Master configuration===<br />
<br />
Create and copy ssh public key to slave like above.<br />
<br />
# su - postgres<br />
$ ssh-keygen<br />
<br />
Now copy /var/lib/postgresql/.ssh/id_rsa.pub to slave postgres users' /var/lib/postgresql/.ssh/authorized_keys<br />
<br />
Create postgresql user for replication.<br />
<br />
$ psql -c "CREATE USER rep REPLICATION LOGIN CONNECTION LIMIT 1 ENCRYPTED PASSWORD 'yourpassword';"<br />
<br />
Allow slave to connect to master using the user just created.<br />
<br />
$ cd /etc/postgresql/9.6/main<br />
<br />
$ nano pg_hba.conf<br />
<br />
Add below line to allow rep user to get access to the server<br />
<br />
host replication rep 62.210.83.200/32 md5<br />
<br />
Next , open the postgres configuration file<br />
<br />
nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,213.167.243.152'<br />
port=5432<br />
wal_level = 'hot_standby'<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
max_wal_senders = 1<br />
hot_standby = on<br />
<br />
Now, to activate your changes, reload the postgresql server<br />
<br />
$ pg_ctlcluster 9.6 main reload<br />
<br />
You may need to restart it via systemd,<br />
<br />
# systemctl restart postgresql<br />
<br />
Start the backup process,<br />
<br />
psql -c "select pg_start_backup('initial_backup');"<br />
rsync -cva -e 'ssh -p 12022' --inplace --exclude=*pg_xlog* /var/lib/postgresql/9.6/main/ 62.210.83.200:/var/lib/postgresql/9.6/main/<br />
psql -c "select pg_stop_backup();"<br />
<br />
===Slave Configuration: Step 2===<br />
Create a recovery file called recovery.conf and add following lines.<br />
standby_mode = 'on'<br />
primary_conninfo = 'host=213.167.243.152 port=5432 user=rep password=yourpassword'<br />
trigger_file = '/tmp/postgresql.trigger.5432'<br />
<br />
Start the slave server<br />
<br />
$ pg_ctlcluster 9.6 main start<br />
<br />
===Replication Status===<br />
<br />
On master server ,<br />
<br />
$ ps -ef | grep sender<br />
On slave server,<br />
<br />
$ ps -ef | grep receiver<br />
<br />
[[Category:Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=Infrastructure&diff=10781Infrastructure2019-03-23T13:58:37Z<p>Pravs: </p>
<hr />
<div>== Our machines ==<br />
<br />
{| class="wikitable" style="margin:auto"<br />
! Host name<br />
! Domain <br />
! Purpose<br />
! Remarks<br />
|-<br />
|mahishasura<br />
|http://mahishasura.pxq.in<br />
|Test machine<br />
|<br />
|-<br />
|[[Poddery_-_Diaspora,_Matrix_and_XMPP|poddery]]<br />
|https://poddery.com<br />
|diaspora pod, matrix homeserver and xmpp server (production)<br />
|<br />
|-<br />
|lists<br />
|https://lists.fsci.org.in<br />
|Mailing list service (production)<br />
|<br />
|-<br />
|Loomio<br />
|https://codema.fsci.org.in<br />
|Loomio service<br />
|<br />
|-<br />
|git<br />
|https://git.fosscommunity.in<br />
|Gitlab instance (production)<br />
|<br />
|-<br />
|Wikimedia<br />
|https://wiki.fsci.org.in/index.php<br />
|Wikimedia instance (production)<br />
|<br />
|-<br />
|Peer tube<br />
|https://videos.fsci.org.in<br />
|Peer tube instance<br />
|Currently down<br />
|-<br />
|Monitor<br />
|https://monitor.fsci.org.in<br />
|For monitoring various services, (grafana)<br />
|Currently down<br />
|-<br />
|Open Source Event Manager<br />
|https://events.fsci.org.in<br />
|Event management service (production)<br />
|<br />
|-<br />
|banasura<br />
|62.210.83.200<br />
|Backup server for poddery.com<br />
|<br />
|-<br />
|bhasmasura<br />
|62.210.83.200 ssh:12022 postgres:12432<br />
|Backup server for git.fosscommunity.in<br />
|<br />
|-<br />
|mayasura<br />
|62.210.83.200 ssh: <br />
|Backup server for diasp.in<br />
|<br />
|-<br />
|}<br />
<br />
== Other services endorsed by FSCI ==<br />
<br />
{| class="wikitable" style="margin:auto"<br />
! Host name<br />
! Domain <br />
! Purpose<br />
! Remarks<br />
|-<br />
|Discourse<br />
|https://freesoftwareindia.org/<br />
|Discourse instance<br />
|<br />
|-<br />
|Mastodon<br />
|https://social.masto.host/<br />
|Mastodon instance<br />
|<br />
|-<br />
|libre infra<br />
|https://libreinfra.org<br />
|Email, Next Cloud services<br />
|Public registration is closed<br />
|-<br />
|}</div>Pravshttps://wiki.fsci.in/index.php?title=Infrastructure&diff=10775Infrastructure2019-02-20T09:14:31Z<p>Pravs: </p>
<hr />
<div>== Our machines ==<br />
<br />
{| class="wikitable" style="margin:auto"<br />
! Host name<br />
! Domain <br />
! Purpose<br />
! Remarks<br />
|-<br />
|mahishasura<br />
|http://mahishasura.pxq.in<br />
|Test machine<br />
|<br />
|-<br />
|Poddery<br />
|https://poddery.com<br />
|diaspora pod, matrix homeserver and xmpp server (production)<br />
|<br />
|-<br />
|lists<br />
|https://lists.fsci.org.in<br />
|Mailing list service (production)<br />
|<br />
|-<br />
|Loomio<br />
|https://codema.fsci.org.in<br />
|Loomio service<br />
|<br />
|-<br />
|git<br />
|https://git.fosscommunity.in<br />
|Gitlab instance (production)<br />
|<br />
|-<br />
|Wikimedia<br />
|https://wiki.fsci.org.in/index.php<br />
|Wikimedia instance (production)<br />
|<br />
|-<br />
|Peer tube<br />
|https://videos.fsci.org.in<br />
|Peer tube instance<br />
|Currently down<br />
|-<br />
|Monitor<br />
|https://monitor.fsci.org.in<br />
|For monitoring various services, (grafana)<br />
|Currently down<br />
|-<br />
|Open Source Event Manager<br />
|https://events.fsci.org.in<br />
|Event management service (production)<br />
|<br />
|-<br />
|banasura<br />
|62.210.83.200<br />
|Backup server for poddery.com<br />
|<br />
|-<br />
|bhasmasura<br />
|62.210.83.200<br />
|Backup server for git.fosscommunity.in<br />
|<br />
|-<br />
|mayasura<br />
|62.210.83.200<br />
|Backup server for diasp.in<br />
|<br />
|-<br />
|}<br />
<br />
== Other services endorsed by FSCI ==<br />
<br />
{| class="wikitable" style="margin:auto"<br />
! Host name<br />
! Domain <br />
! Purpose<br />
! Remarks<br />
|-<br />
|Discourse<br />
|https://freesoftwareindia.org/<br />
|Discourse instance<br />
|<br />
|-<br />
|Mastodon<br />
|https://social.masto.host/<br />
|Mastodon instance<br />
|<br />
|-<br />
|libre infra<br />
|https://libreinfra.org<br />
|Email, Next Cloud services<br />
|Public registration is closed<br />
|-<br />
|}</div>Pravshttps://wiki.fsci.in/index.php?title=Infrastructure&diff=10774Infrastructure2019-02-20T09:12:08Z<p>Pravs: add mayasura</p>
<hr />
<div>== Our machines ==<br />
<br />
{| class="wikitable" style="margin:auto"<br />
! Host name<br />
! Domain <br />
! Purpose<br />
! Remarks<br />
|-<br />
|mahishasura<br />
|http://mahishasura.pxq.in<br />
|Test machine<br />
|<br />
|-<br />
|Poddery<br />
|https://poddery.com<br />
|diaspora pod (production)<br />
|<br />
|-<br />
|lists<br />
|https://lists.fsci.org.in<br />
|Mailing list service<br />
|<br />
|-<br />
|Loomio<br />
|https://codema.fsci.org.in<br />
|Loomio service<br />
|<br />
|-<br />
|git<br />
|https://git.fosscommunity.in<br />
|Gitlab instance<br />
|<br />
|-<br />
|Wikimedia<br />
|https://wiki.fsci.org.in/index.php<br />
|Wikimedia instance<br />
|<br />
|-<br />
|Peer tube<br />
|https://videos.fsci.org.in<br />
|Peer tube instance<br />
|Currently down<br />
|-<br />
|Monitor<br />
|https://monitor.fsci.org.in<br />
|For monitoring various services, (grafana)<br />
|Currently down<br />
|-<br />
|Open Source Event Manager<br />
|https://events.fsci.org.in<br />
|Event management service<br />
|<br />
|-<br />
|banasura<br />
|62.210.83.200<br />
|Backup server for poddery.com<br />
|<br />
|-<br />
|bhasmasura<br />
|62.210.83.200<br />
|Backup server for git.fosscommunity.in<br />
|<br />
|-<br />
|mayasura<br />
|62.210.83.200<br />
|Backup server for diasp.in<br />
|<br />
|-<br />
|}<br />
<br />
== Other services endorsed by FSCI ==<br />
<br />
{| class="wikitable" style="margin:auto"<br />
! Host name<br />
! Domain <br />
! Purpose<br />
! Remarks<br />
|-<br />
|Discourse<br />
|https://freesoftwareindia.org/<br />
|Discourse instance<br />
|<br />
|-<br />
|Mastodon<br />
|https://social.masto.host/<br />
|Mastodon instance<br />
|<br />
|-<br />
|libre infra<br />
|https://libreinfra.org<br />
|Email, Next Cloud services<br />
|Public registration is closed<br />
|-<br />
|}</div>Pravshttps://wiki.fsci.in/index.php?title=Infrastructure&diff=10772Infrastructure2019-02-20T09:06:42Z<p>Pravs: bhasmasura added</p>
<hr />
<div>== Our machines ==<br />
<br />
{| class="wikitable" style="margin:auto"<br />
! Host name<br />
! Domain <br />
! Purpose<br />
! Remarks<br />
|-<br />
|mahishasura<br />
|http://mahishasura.pxq.in<br />
|Test machine<br />
|<br />
|-<br />
|Poddery<br />
|https://poddery.com<br />
|diaspora pod (production)<br />
|<br />
|-<br />
|lists<br />
|https://lists.fsci.org.in<br />
|Mailing list service<br />
|<br />
|-<br />
|Loomio<br />
|https://codema.fsci.org.in<br />
|Loomio service<br />
|<br />
|-<br />
|git<br />
|https://git.fosscommunity.in<br />
|Gitlab instance<br />
|<br />
|-<br />
|Wikimedia<br />
|https://wiki.fsci.org.in/index.php<br />
|Wikimedia instance<br />
|<br />
|-<br />
|Peer tube<br />
|https://videos.fsci.org.in<br />
|Peer tube instance<br />
|<br />
|-<br />
|Monitor<br />
|https://monitor.fsci.org.in<br />
|For monitoring various services, (grafana)<br />
|Currently down<br />
|-<br />
|Open Source Event Manager<br />
|https://events.fsci.org.in<br />
|Event management service<br />
|<br />
|-<br />
|banasura<br />
|62.210.83.200<br />
|Backup server<br />
|<br />
|-<br />
|bhasmasura<br />
|62.210.83.200<br />
|Backup server for git.fosscommunity.in<br />
|<br />
|-<br />
|}<br />
<br />
== Other services endorsed by FSCI ==<br />
<br />
{| class="wikitable" style="margin:auto"<br />
! Host name<br />
! Domain <br />
! Purpose<br />
! Remarks<br />
|-<br />
|Discourse<br />
|https://freesoftwareindia.org/<br />
|Discourse instance<br />
|<br />
|-<br />
|Mastodon<br />
|https://social.masto.host/<br />
|Mastodon instance<br />
|<br />
|-<br />
|libre infra<br />
|https://libreinfra.org<br />
|Email, Next Cloud services<br />
|Public registration is closed<br />
|-<br />
|}</div>Pravshttps://wiki.fsci.in/index.php?title=Infrastructure&diff=10771Infrastructure2019-02-20T09:02:44Z<p>Pravs: Add https://social.masto.host/</p>
<hr />
<div>== Our machines ==<br />
<br />
{| class="wikitable" style="margin:auto"<br />
! Host name<br />
! Domain <br />
! Purpose<br />
! Remarks<br />
|-<br />
|mahishasura<br />
|http://mahishasura.pxq.in<br />
|Test machine<br />
|<br />
|-<br />
|Poddery<br />
|https://poddery.com<br />
|diaspora pod (production)<br />
|<br />
|-<br />
|lists<br />
|https://lists.fsci.org.in<br />
|Mailing list service<br />
|<br />
|-<br />
|Loomio<br />
|https://codema.fsci.org.in<br />
|Loomio service<br />
|<br />
|-<br />
|git<br />
|https://git.fosscommunity.in<br />
|Gitlab instance<br />
|<br />
|-<br />
|Wikimedia<br />
|https://wiki.fsci.org.in/index.php<br />
|Wikimedia instance<br />
|<br />
|-<br />
|Peer tube<br />
|https://videos.fsci.org.in<br />
|Peer tube instance<br />
|<br />
|-<br />
|Monitor<br />
|https://monitor.fsci.org.in<br />
|For monitoring various services, (grafana)<br />
|Currently down<br />
|-<br />
|Open Source Event Manager<br />
|https://events.fsci.org.in<br />
|Event management service<br />
|<br />
|-<br />
|banasura<br />
|62.210.83.200<br />
|Backup server<br />
|<br />
|-<br />
|}<br />
<br />
== Other services endorsed by FSCI ==<br />
<br />
{| class="wikitable" style="margin:auto"<br />
! Host name<br />
! Domain <br />
! Purpose<br />
! Remarks<br />
|-<br />
|Discourse<br />
|https://freesoftwareindia.org/<br />
|Discourse instance<br />
|<br />
|-<br />
|Mastodon<br />
|https://social.masto.host/<br />
|Mastodon instance<br />
|<br />
|-<br />
|libre infra<br />
|https://libreinfra.org<br />
|Email, Next Cloud services<br />
|Public registration is closed<br />
|-<br />
|}</div>Pravshttps://wiki.fsci.in/index.php?title=IRC&diff=10750IRC2019-01-08T13:55:29Z<p>Pravs: whitelisting matrix users don't work with oftc</p>
<hr />
<div>This is a list of FOSS communities in India who has a presence on IRC<br />
<br />
{| border="1" cellpadding="2"<br />
!width="150" style="background:#ffdead;" | Name <br />
!width="150" style="background:#ffdead;" | Channel <br />
!width="180" style="background:#ffdead;" | Server(s)<br />
|- style="background:#efefef;" <br />
| FOSS Community India || #fsci || [irc://irc.oftc.net irc.oftc.net]<br />
|-<br />
| GNU India || #gnu-india || [irc://irc.freenode.net irc.freenode.net]<br />
|- style="background:#efefef;" <br />
| Linux India || ##linux-india || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Hackers India || #hackers-india || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Indlinux || #indlinux || [irc://irc.freenode.net irc.freenode.net]<br />
|- style="background:#efefef;" <br />
| Debian India || #debian-in,#debianindia || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| KDE India || #kde-in || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| GNU aka GNU/Hurd India|| #hurd.in || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Linuxchix|| #indichix || [irc://irc.linuxchix.org irc.linuxchix.org]<br />
|-<br />
| SMC Project || #smc-project || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| ILUG Cochin || #ilugkochi || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Hackerdom Thrissur || #hackerdom || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| GNU/Linux Lovers || #gnulinuxlovers || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| FOSSCell, NITC || #FOSSCell || [irc://irc.freenode.net irc.freenode.net]<br />
|}<br />
<br />
== How to use matrix as an IRC client to join #fsci ==<br />
* See [https://gist.github.com/fstab/ce805d3001600ac147b79d413668770d this guide] for freenode specific instructions<br />
<br />
# On Matrix, open a new chat (with Riot app this is the "+" sign on the bottom right)<br />
# Invite @oftc-irc:matrix.org to the new chat<br />
# Say !nick <yournick> <br />
# A request for new chat with NickServ will pop up (if not invite @_oftc_NickServ:matrix.org). Accept it.<br />
# Send "REGISTER <password> <email>" to register your nickname.<br />
# "identify <password>" can be used to authenticate (in case the bridge reconnects)<br />
<br />
Send this "!cmd MODE #<channel name> +Me *!*@gateway/shell/matrix.org/*" to @appservice-irc:matrix.org to ban all unregistred nicks except matrix bridged users (for Freenode channels).<br />
<br />
On OFTC "!cmd MODE #<channel name> +Me *!*@2001:470:1af1:101::*" to @oftc-irc:matrix.org (For OFTC channels), though it does not seem to work, more here https://github.com/matrix-org/matrix-appservice-irc/issues/716</div>Pravshttps://wiki.fsci.in/index.php?title=IRC&diff=10749IRC2019-01-03T13:22:40Z<p>Pravs: </p>
<hr />
<div>This is a list of FOSS communities in India who has a presence on IRC<br />
<br />
{| border="1" cellpadding="2"<br />
!width="150" style="background:#ffdead;" | Name <br />
!width="150" style="background:#ffdead;" | Channel <br />
!width="180" style="background:#ffdead;" | Server(s)<br />
|- style="background:#efefef;" <br />
| FOSS Community India || #fsci || [irc://irc.oftc.net irc.oftc.net]<br />
|-<br />
| GNU India || #gnu-india || [irc://irc.freenode.net irc.freenode.net]<br />
|- style="background:#efefef;" <br />
| Linux India || ##linux-india || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Hackers India || #hackers-india || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Indlinux || #indlinux || [irc://irc.freenode.net irc.freenode.net]<br />
|- style="background:#efefef;" <br />
| Debian India || #debian-in,#debianindia || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| KDE India || #kde-in || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| GNU aka GNU/Hurd India|| #hurd.in || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Linuxchix|| #indichix || [irc://irc.linuxchix.org irc.linuxchix.org]<br />
|-<br />
| SMC Project || #smc-project || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| ILUG Cochin || #ilugkochi || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Hackerdom Thrissur || #hackerdom || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| GNU/Linux Lovers || #gnulinuxlovers || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| FOSSCell, NITC || #FOSSCell || [irc://irc.freenode.net irc.freenode.net]<br />
|}<br />
<br />
== How to use matrix as an IRC client to join #fsci ==<br />
* See [https://gist.github.com/fstab/ce805d3001600ac147b79d413668770d this guide] for freenode specific instructions<br />
<br />
# On Matrix, open a new chat (with Riot app this is the "+" sign on the bottom right)<br />
# Invite @oftc-irc:matrix.org to the new chat<br />
# Say !nick <yournick> <br />
# A request for new chat with NickServ will pop up (if not invite @_oftc_NickServ:matrix.org). Accept it.<br />
# Send "REGISTER <password> <email>" to register your nickname.<br />
# "identify <password>" can be used to authenticate (in case the bridge reconnects)<br />
<br />
Send this "!cmd MODE #<channel name> +Me *!*@gateway/shell/matrix.org/*" to @appservice-irc:matrix.org to ban all unregistred nicks except matrix bridged users (for Freenode channels).<br />
<br />
On OFTC "!cmd MODE #<channel name> +Me *!*@2001:470:1af1:101::*" to @oftc-irc:matrix.org (For OFTC channels)</div>Pravshttps://wiki.fsci.in/index.php?title=GitLab&diff=10747GitLab2018-12-15T18:11:46Z<p>Pravs: /* Maintenance */ add qa tasks here</p>
<hr />
<div>Our public GitLab instance is https://git.fosscommunity.in<br />
<br />
==Hosting==<br />
<br />
Sponsored by [http://about.gitlab.com GitLab Inc].Hosted at gandi.net in France.<br />
<br />
==Setup==<br />
<br />
Running on debian gnu/linux 9 stretch with postgresql 9.6. Using gitlab package from https://people.debian.org/~praveen/gitlab/<br />
<br />
Note: We install gitlab dependencies from stretch-backports, so all apt commands should enable stretch-backports (''apt -t stretch-backports'').<br />
<br />
Debian package specific documentation -> https://salsa.debian.org/ruby-team/gitlab/raw/stretch-backports/debian/README.Debian<br />
<br />
Letsencrypt domains:<br />
<br />
letsencrypt --expand --webroot --webroot-path /usr/share/gitlab/public -d git.fosscommunity.in -d gitlabce.tk -d gitlab.debian.net -d wiki.fsci.org.in -d git.fsci.org.in certonly<br />
<br />
== Mail Server Setup ==<br />
<br />
* postfix is used<br />
* SPF record is added (only a and aaaa allowed to send mails)<br />
* Reverse DNS is updated in gandi.net server ip section<br />
* Using letsencrypt certificates for tls in main.cf<br />
* Using 'inet_interfaces = 127.0.0.1' in main.cf<br />
* Configured DKIM following https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/<br />
* DMARC is set to reject<br />
<br />
==Maintenance==<br />
<br />
Maintenance discussion at [https://www.loomio.org/g/Qu3O8mSf/fosscommunity-in-git-fosscommunity-in-maintainers this loomio subgroup] and [https://matrix.to/#/#git.fosscommunity.in:matrix.org this matrix chat room]<br />
<br />
* [https://git.fosscommunity.in/community/gitlab/ team repo with access details] (private)<br />
<br />
==Gitlab QA - running tests==<br />
<br />
<Create a user account for QA><br />
<br />
<code><br />
$ sudo gem install gitlab-qa<br />
<br />
$ GITLAB_USERNAME=<username> GITLAB_PASSWORD=<password> gitlab-qa Test::Instance::Any gitlab/gitlab-ce-qa:<gitlab version> https://git.hacksk.xyz<br />
</code><br />
<br />
==Backup==<br />
<br />
Backup server is provided by Manu. Running on debian gnu/linux 9 stretch.<br />
<br />
===Slave configuration: Step 1===<br />
Install postgresql and rsync<br />
<br />
# apt-get install postgresql-contrib-9.6 rsync<br />
<br />
Make sure en_US.UTF-8 locale is available<br />
<br />
# dpkg-reconfigure locales<br />
<br />
Create ssh key for postgres user<br />
<br />
# su - postgres<br />
$ ssh-keygen<br />
<br />
Now copy /var/lib/postgresql/.ssh/id_rsa.pub to master postgres users' /var/lib/postgresql/.ssh/authorized_keys<br />
<br />
Stop postgresql before changing any configuration<br />
$ pg_ctlcluster 9.6 main stop<br />
<br />
cd /etc/postgresql/9.6/main<br />
<br />
Open the postgres configuration file<br />
<br />
nano postgresql.conf<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,192.168.0.115'<br />
port=5432<br />
wal_level = 'hot_standby'<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
max_wal_senders = 1<br />
hot_standby = on<br />
<br />
===Master configuration===<br />
<br />
Create and copy ssh public key to slave like above.<br />
<br />
# su - postgres<br />
$ ssh-keygen<br />
<br />
Now copy /var/lib/postgresql/.ssh/id_rsa.pub to slave postgres users' /var/lib/postgresql/.ssh/authorized_keys<br />
<br />
Create postgresql user for replication.<br />
<br />
$ psql -c "CREATE USER rep REPLICATION LOGIN CONNECTION LIMIT 1 ENCRYPTED PASSWORD 'yourpassword';"<br />
<br />
Allow slave to connect to master using the user just created.<br />
<br />
$ cd /etc/postgresql/9.6/main<br />
<br />
$ nano pg_hba.conf<br />
<br />
Add below line to allow rep user to get access to the server<br />
<br />
host replication rep 62.210.83.200/32 md5<br />
<br />
Next , open the postgres configuration file<br />
<br />
nano postgresql.conf<br />
<br />
Set the following configuration options in the postgresql.conf file<br />
<br />
listen_addresses = 'localhost,213.167.243.152'<br />
port=5432<br />
wal_level = 'hot_standby'<br />
archive_mode = on<br />
archive_command = 'cd .'<br />
max_wal_senders = 1<br />
hot_standby = on<br />
<br />
Now, to activate your changes, reload the postgresql server<br />
<br />
$ pg_ctlcluster 9.6 main reload<br />
<br />
You may need to restart it via systemd,<br />
<br />
# systemctl restart postgresql<br />
<br />
Start the backup process,<br />
<br />
psql -c "select pg_start_backup('initial_backup');"<br />
rsync -cva -e 'ssh -p 12022' --inplace --exclude=*pg_xlog* /var/lib/postgresql/9.6/main/ 62.210.83.200:/var/lib/postgresql/9.6/main/<br />
psql -c "select pg_stop_backup();"<br />
<br />
===Slave Configuration: Step 2===<br />
Create a recovery file called recovery.conf and add following lines.<br />
standby_mode = 'on'<br />
primary_conninfo = 'host=213.167.243.152 port=5432 user=rep password=yourpassword'<br />
trigger_file = '/tmp/postgresql.trigger.5432'<br />
<br />
Start the slave server<br />
<br />
$ pg_ctlcluster 9.6 main start<br />
<br />
===Replication Status===<br />
<br />
On master server ,<br />
<br />
$ ps -ef | grep sender<br />
On slave server,<br />
<br />
$ ps -ef | grep receiver<br />
<br />
[[Category:Services]]</div>Pravshttps://wiki.fsci.in/index.php?title=IRC&diff=10744IRC2018-11-06T13:30:48Z<p>Pravs: </p>
<hr />
<div>This is a list of FOSS communities in India who has a presence on IRC<br />
<br />
{| border="1" cellpadding="2"<br />
!width="150" style="background:#ffdead;" | Name <br />
!width="150" style="background:#ffdead;" | Channel <br />
!width="180" style="background:#ffdead;" | Server(s)<br />
|- style="background:#efefef;" <br />
| FOSS Community India || #fsci || [irc://irc.oftc.net irc.oftc.net]<br />
|-<br />
| GNU India || #gnu-india || [irc://irc.freenode.net irc.freenode.net]<br />
|- style="background:#efefef;" <br />
| Linux India || ##linux-india || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Hackers India || #hackers-india || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Indlinux || #indlinux || [irc://irc.freenode.net irc.freenode.net]<br />
|- style="background:#efefef;" <br />
| Debian India || #debian-in,#debianindia || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| KDE India || #kde-in || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| GNU aka GNU/Hurd India|| #hurd.in || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Linuxchix|| #indichix || [irc://irc.linuxchix.org irc.linuxchix.org]<br />
|-<br />
| SMC Project || #smc-project || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| ILUG Cochin || #ilugkochi || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Hackerdom Thrissur || #hackerdom || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| GNU/Linux Lovers || #gnulinuxlovers || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| FOSSCell, NITC || #FOSSCell || [irc://irc.freenode.net irc.freenode.net]<br />
|}<br />
<br />
== How to use matrix as an IRC client to join #fsci ==<br />
* See [https://gist.github.com/fstab/ce805d3001600ac147b79d413668770d this guide] for freenode specific instructions<br />
<br />
# On Matrix, open a new chat (with Riot app this is the "+" sign on the bottom right)<br />
# Invite @oftc-irc:matrix.org to the new chat<br />
# Say !nick <yournick> <br />
# A request for new chat with NickServ will pop up (if not invite @_oftc_NickServ:matrix.org). Accept it.<br />
# Send "REGISTER <password> <email>" to register your nickname.<br />
# "identify <password>" can be used to authenticate (in case the bridge reconnects)<br />
<br />
Send this "!cmd MODE #<channel name> +Me *!*@gateway/shell/matrix.org/*" to @oftc-irc:matrix.org to ban all unregistred nicks except matrix bridged users.</div>Pravshttps://wiki.fsci.in/index.php?title=IRC&diff=10743IRC2018-11-06T13:28:02Z<p>Pravs: </p>
<hr />
<div>This is a list of FOSS communities in India who has a presence on IRC<br />
<br />
{| border="1" cellpadding="2"<br />
!width="150" style="background:#ffdead;" | Name <br />
!width="150" style="background:#ffdead;" | Channel <br />
!width="180" style="background:#ffdead;" | Server(s)<br />
|- style="background:#efefef;" <br />
| FOSS Community India || #fsci || [irc://irc.oftc.net irc.freenode.net], irc.wikicities.com<br />
|-<br />
| GNU India || #gnu-india || [irc://irc.freenode.net irc.freenode.net]<br />
|- style="background:#efefef;" <br />
| Linux India || ##linux-india || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Hackers India || #hackers-india || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Indlinux || #indlinux || [irc://irc.freenode.net irc.freenode.net]<br />
|- style="background:#efefef;" <br />
| Debian India || #debian-in,#debianindia || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| KDE India || #kde-in || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| GNU aka GNU/Hurd India|| #hurd.in || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Linuxchix|| #indichix || [irc://irc.linuxchix.org irc.linuxchix.org]<br />
|-<br />
| SMC Project || #smc-project || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| ILUG Cochin || #ilugkochi || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Hackerdom Thrissur || #hackerdom || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| GNU/Linux Lovers || #gnulinuxlovers || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| FOSSCell, NITC || #FOSSCell || [irc://irc.freenode.net irc.freenode.net]<br />
|}<br />
<br />
== How to use matrix as an IRC client to join #fsci ==<br />
* See [https://gist.github.com/fstab/ce805d3001600ac147b79d413668770d this guide] for freenode specific instructions<br />
<br />
# On Matrix, open a new chat (with Riot app this is the "+" sign on the bottom right)<br />
# Invite @oftc-irc:matrix.org to the new chat<br />
# Say !nick <yournick> <br />
# A request for new chat with NickServ will pop up (if not invite @_oftc_NickServ:matrix.org). Accept it.<br />
# Send "REGISTER <password> <email>" to register your nickname.<br />
# "identify <password>" can be used to authenticate (in case the bridge reconnects)<br />
<br />
Send this "!cmd MODE #<channel name> +Me *!*@gateway/shell/matrix.org/*" to @oftc-irc:matrix.org to ban all unregistred nicks except matrix bridged users.</div>Pravshttps://wiki.fsci.in/index.php?title=IRC&diff=10742IRC2018-11-05T15:00:54Z<p>Pravs: </p>
<hr />
<div>This is a list of FOSS communities in India who has a presence on IRC<br />
<br />
{| border="1" cellpadding="2"<br />
!width="150" style="background:#ffdead;" | Name <br />
!width="150" style="background:#ffdead;" | Channel <br />
!width="180" style="background:#ffdead;" | Server(s)<br />
|- style="background:#efefef;" <br />
| FOSS Community India || #fsci || [irc://irc.oftc.net irc.freenode.net], irc.wikicities.com<br />
|-<br />
| GNU India || #gnu-india || [irc://irc.freenode.net irc.freenode.net]<br />
|- style="background:#efefef;" <br />
| Linux India || ##linux-india || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Hackers India || #hackers-india || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Indlinux || #indlinux || [irc://irc.freenode.net irc.freenode.net]<br />
|- style="background:#efefef;" <br />
| Debian India || #debian-in,#debianindia || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| KDE India || #kde-in || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| GNU aka GNU/Hurd India|| #hurd.in || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Linuxchix|| #indichix || [irc://irc.linuxchix.org irc.linuxchix.org]<br />
|-<br />
| SMC Project || #smc-project || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| ILUG Cochin || #ilugkochi || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| Hackerdom Thrissur || #hackerdom || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| GNU/Linux Lovers || #gnulinuxlovers || [irc://irc.freenode.net irc.freenode.net]<br />
|-<br />
| FOSSCell, NITC || #FOSSCell || [irc://irc.freenode.net irc.freenode.net]<br />
|}<br />
<br />
== How to use matrix as an IRC client to join #fsci ==<br />
* See [https://gist.github.com/fstab/ce805d3001600ac147b79d413668770d this guide] for freenode specific instructions<br />
<br />
# On Matrix, open a new chat (with Riot app this is the "+" sign on the bottom right)<br />
# Invite @oftc-irc:matrix.org to the new chat<br />
# Say !nick <yournick> <br />
# A request for new chat with NickServ will pop up (if not invite @_oftc_NickServ:matrix.org). Accept it.<br />
# Send "REGISTER <password> <email>" to register your nickname.<br />
# "identify <password>" can be used to authenticate (in case the bridge reconnects)<br />
<br />
Send this "!cmd MODE #debian-diaspora +Me *!*@gateway/shell/matrix.org/*" to @oftc-irc:matrix.org to ban all unregistred nicks except matrix bridged users.</div>Pravs