Hacking:Server configuration

Note: This page documents how the Parabola project's servers are configured. This is not about how to configure servers.

DNS

These are the DNS entries with he.net, as of 2014-10-02.

Record Type Value
parabolagnulinux.org. A 80.87.131.232
projects.parabolagnulinux.org. A 80.87.131.232
wiki.parabolagnulinux.org. A 80.87.131.232
repo.parabolagnulinux.org. A 80.87.131.232
licenses.parabolagnulinux.org. A 80.87.131.232
lists.parabolagnulinux.org. A 80.87.131.232
forum.parabolagnulinux.org. A 80.87.131.232
parabolagnulinux.org. MX 0 repo.parabola.nu.
_xmpp-server._tcp.parabolagnulinux.org. SRV 0 0 5269 xmpp.parabolagnulinux.org.
_jabber._tcp.parabolagnulinux.org. SRV 0 0 5269 xmpp.parabolagnulinux.org.
_xmpp-client._tcp.parabolagnulinux.org. SRV 0 0 5222 xmpp.parabolagnulinux.org.
list.parabolagnulinux.org. MX 0 repo.parabola.nu.
lists.parabolagnulinux.org. MX 0 repo.parabola.nu.
conference.parabolagnulinux.org. A 80.87.131.232
list.parabolagnulinux.org. A 80.87.131.232
xmpp.parabolagnulinux.org. A 80.87.131.232
parabolagnulinux.org. TXT "v=spf1 ip4:80.87.131.232 -all"
lists.parabolagnulinux.org. TXT "v=spf1 ip4:80.87.131.232 -all"
mail.parabolagnulinux.org. TXT "v=spf1 -all"
repo.parabolagnulinux.org. TXT "v=spf1 ip4:80.87.131.232 -all"
bugs.parabolagnulinux.org. TXT "v=spf1 -all"
conference.parabolagnulinux.org. TXT "v=spf1 -all"
forum.parabolagnulinux.org. TXT "v=spf1 -all"
licenses.parabolagnulinux.org. TXT "v=spf1 -all"
list.parabolagnulinux.org. TXT "v=spf1 -all"
packages.parabolagnulinux.org. TXT "v=spf1 -all"
projects.parabolagnulinux.org. TXT "v=spf1 -all"
wiki.parabolagnulinux.org. TXT "v=spf1 -all"
xmpp.parabolagnulinux.org. TXT "v=spf1 -all"
_xmpp-client._tcp.parabolagnulinux.org. TXT "v=spf1 -all"
_xmpp-server._tcp.parabolagnulinux.org. TXT "v=spf1 -all"
_jabber._tcp.parabolagnulinux.org. TXT "v=spf1 -all"
bugs.parabolagnulinux.org. SPF "v=spf1 -all"
conference.parabolagnulinux.org. SPF "v=spf1 -all"
forum.parabolagnulinux.org. SPF "v=spf1 -all"
licenses.parabolagnulinux.org. SPF "v=spf1 -all"
list.parabolagnulinux.org. SPF "v=spf1 -all"
lists.parabolagnulinux.org. SPF "v=spf1 ip4:80.87.131.232 -all"
mail.parabolagnulinux.org. SPF "v=spf1 -all"
packages.parabolagnulinux.org. SPF "v=spf1 -all"
parabolagnulinux.org. SPF "v=spf1 ip4:80.87.131.232 -all"
projects.parabolagnulinux.org. SPF "v=spf1 -all"
repo.parabolagnulinux.org. SPF "v=spf1 ip4:80.87.131.232 -all"
wiki.parabolagnulinux.org. SPF "v=spf1 -all"
xmpp.parabolagnulinux.org. SPF "v=spf1 -all"
_xmpp-client._tcp.parabolagnulinux.org. SPF "v=spf1 -all"
_xmpp-server._tcp.parabolagnulinux.org. SPF "v=spf1 -all"
_jabber._tcp.parabolagnulinux.org. SPF "v=spf1 -all"
parabola.nu. A 80.87.131.232
parabola.nu. MX 10 repo.parabola.nu.
_xmpp-client._tcp.parabola.nu. SRV 0 0 5222 xmpp.parabolagnulinux.org.
_xmpp-server._tcp.parabola.nu. SRV 0 0 5269 xmpp.parabolagnulinux.org.
labs.parabola.nu. A 80.87.131.232
parabola.nu. TXT "v=spf1 ip4:80.87.131.232 -all"
parabola.nu. SPF "v=spf1 ip4:80.87.131.232 -all"
labs.parabola.nu. TXT "v=spf1 -all"
_xmpp-client._tcp.parabola.nu. TXT "v=spf1 -all"
_xmpp-server._tcp.parabola.nu. TXT "v=spf1 -all"
labs.parabola.nu. SPF "v=spf1 -all"
_xmpp-client._tcp.parabola.nu. SPF "v=spf1 -all"
_xmpp-server._tcp.parabola.nu. SPF "v=spf1 -all"
repo.parabola.nu. A 80.87.131.232
wiki.parabola.nu. A 80.87.131.232
www.parabola.nu. A 80.87.131.232
lists.parabola.nu. A 80.87.131.232
projects.parabola.nu. A 80.87.131.232
repo.parabola.nu. SPF "v=spf1 ip4:80.87.131.232 -all"
repo.parabola.nu. TXT "v=spf1 ip4:80.87.131.232 -all"
lists.parabola.nu. TXT "v=spf1 ip4:80.87.131.232 -all"
lists.parabola.nu. SPF "v=spf1 ip4:80.87.131.232 -all"
projects.parabola.nu. TXT "v=spf1 -all"
wiki.parabola.nu. TXT "v=spf1 -all"
www.parabola.nu. TXT "v=spf1 -all"
projects.parabola.nu. SPF "v=spf1 -all"
wiki.parabola.nu. SPF "v=spf1 -all"
www.parabola.nu. SPF "v=spf1 -all"

SPF

These are mail domains, i.e. ones listed in envelope From addresses or used for outgoing mail servers:

  • parabola.nu
  • lists.parabola.nu
  • repo.parabola.nu

Mail domains have TXT and SPF records with the value "v=spf1 ip4:80.87.131.232 -all", i.e. allowing only mail sent from the parabola.nu server. All other domains have "v=spf1 -all": all mail from them is fake.

We use SPF to get less spam claiming to be from our domains and to discourage spammers from using fake sender addresses.

parabola.nu

These days, everything is on one server; parabola.nu or 80.87.131.232. It is a VPS hosted somewhere in the UK, on a machine operated by user n1md4 in cooperation with his employer, Positive Internet.

Resources

$ uname -m
x86_64
$ free -h
             total       used       free     shared    buffers     cached
Mem:          1.9G       1.8G       100M       191M        28M       538M
-/+ buffers/cache:       1.2G       667M
Swap:         1.0G       413M       608M
$ df -h | grep sda
/dev/sda1        98G   12G   82G  13% /
/dev/sda3       150G  125G   26G  83% /srv

Public-facing network sockets/services

Note: IPv4/6 support is just what lsof says. Except that systemd .socket targets are both IPv4 and IPv6, but lsof reports them as just IPv6, even for established IPv4 connections. Weird. I'm pretty sure it's a bug in lsof, so I guess that means that some of the others might be wrong?
socket IPv4 IPv6 protocol daemon other info
TCP:*:22 Yes Yes SSH sshd.service
TCP:*:25 Yes Yes SMTP postfix.service/master
TCP:*:80 Yes Yes HTTP nginx.service
TCP:*:443 Yes Yes HTTPS nginx.service
TCP:*:465 Yes Yes SMTPS postfix.service/master
TCP:*:587 Yes Yes SMTP-MSA postfix.service/master
TCP:*:655 Yes Yes tinc tincd@lvpn.service
TCP:*:875 Yes* Yes rsync rsync.socket
TCP:*:1863 Yes Yes SSH sshd.service
TCP:*:5222 Yes Yes xmpp-client prosody.service
TCP:*:5269 Yes Yes xmpp-server prosody.service
TCP:*:9418 Yes* Yes git git-daemon.socket

Inward-facing sockets

socket protocol daemon other info
TCP4/6:localhost.localdomain:2812 HTTP monit.service
TCP4:localhost.localdomain:5432 pgsql postgresql.service
unix:/run/mysqld/mysqld.sock MySQL mysqld.service
unix:/run/fcgiwrap.sock FastCGI fcgiwrap.socket used for mailman
unix:/run/uwsgi/labs.sock uwsgi uwsgi@labs.socket
unix:/run/uwsgi/parabolaweb.sock uwsgi uwsgi@parabolaweb.socket
unix:/run/uwsgi/projects.sock uwsgi/modifier1=9 uwsgi@projects.socket
unix:/run/uwsgi/pur.sock uwsgi/modifier1=14 uwsgi@pur.socket
unix:/run/uwsgi/repo.sock uwsgi/modifier1=14 uwsgi@repo.socket
unix:/run/uwsgi/wiki.sock uwsgi/modifier1=14 uwsgi@wiki.socket
unix:/run/dovecot/... misc dovecot.service
System stuff
unix:/run/dbus/systemd_bus_socket D-Bus dbus.socket
unix:/run/lvm/lvmetad.socket  ??? lvm2-lvmetad.socket
unix:/run/udev/control  ??? systemd-udev-control.socket
unix:/run/systemd/... misc misc
unix:/run/user/${UID}/{bus,systemd/{notify,private}} misc user@${UID}.service

Other running services of note

  • dovecot.service
  • mailman.service
  • pbot.service
  • parabolaweb-reporead-inotify.service

Nginx "servers"

server_name HTTP HTTPS
Simple redirects
* return 301 https://$host$request_uri; return 301 https://www.parabola.nu/404;
parabolagnulinux.org N/A return 301 https://www.parabola.nu$request_uri;
*.parabolagnulinux.org N/A return 301 https://$subdomain.parabola.nu$request_uri;
list.parabolagnulinux.org N/A return 301 https://lists.parabola.nu$request_uri;
parabola.nu N/A return 301 https://www.parabola.nu$request_uri
Websites
www.parabola.nu N/A Serve /static/, /favicon.ico, /robots.txt,and /img/ statically, redirect /https to /, and hand everything else off to uWSGI
labs.parabola.nu N/A Redirect / to /projects; use uWSGI
lists.parabola.nu N/A
  • Redirect / to /mailman/
  • Redirect /mailman/ to /mailman/listinfo
  • Serve the mailman CGI programs at /mailman/* via fcgiwrap
  • Serve the static mailman icons at /icons
  • Serve /var/lib/mailman/archives/public at /pipermail
projects.parabola.nu N/A Serve cgit via uWSGI
repo.parabola.nu N/A Serve the union of /srv/repo/main and /srv/repo/http, using repoindex.php (via uWSGI) for indexes.
wiki.parabola.nu N/A Serve MediaWiki via uWSGI (https://lukeshu.com/blog/nginx-mediawiki.html)
pur.parabola.nu N/A TODO
redirector.parabola.nu N/A TODO
repomirror.parabola.nu N/A TODO

Mail configuration

Note: I (lukeshu) have no idea if this is still true for the current server. Ask fauno or mtjm.

Postfix's postscreen handles port 25 enforcing the pregreet test, checks SPF records via python2-postfix-policyd-spf, the mail is delivered via Dovecot deliver. Both deliver and the daemon need to be of the same version, so restarting the daemon after an update is needed.

Mailman handles the lists, with Postfix integration via a virtual address map. Use /usr/lib/mailman/bin/newlist to add a list.

pbot

pbot, the Parabola IRC bot, lives at pbot.git, and runs as the user pbot

Configuration things

There used to be several symlinks added to /var to keep things in sane places, but they have been replaced by bind mounts in /etc/fstab, because the symlinks confused pacman.

/var/lib/mailman   ->  ../../srv/mailman
/var/lib/mysql     ->  ../../srv/sql/mysql
/var/lib/postgres  ->  ../../srv/sql/postgres
/var/spool/cron    ->  ../../etc/cron.spool

That is, nothing of consequence and needing to be backed up should live anywhere but /srv or /etc. Maybe /home for personal stuff.

To do

  • murmurd?
  • Use NSD (or PowerDNS) to manage DNS zones from the server.
  • Automate users from hackers.git ending up in PAM/NSS.
  • ...
  • Profit