Hacking:Server configuration
Contents
DNS
These are the DNS entries with he.net, as of 2014-10-02.
Record | Type | Value |
---|---|---|
parabolagnulinux.org. | A | 80.87.131.232 |
projects.parabolagnulinux.org. | A | 80.87.131.232 |
wiki.parabolagnulinux.org. | A | 80.87.131.232 |
repo.parabolagnulinux.org. | A | 80.87.131.232 |
licenses.parabolagnulinux.org. | A | 80.87.131.232 |
lists.parabolagnulinux.org. | A | 80.87.131.232 |
forum.parabolagnulinux.org. | A | 80.87.131.232 |
parabolagnulinux.org. | MX | 0 repo.parabola.nu. |
_xmpp-server._tcp.parabolagnulinux.org. | SRV | 0 0 5269 xmpp.parabolagnulinux.org. |
_jabber._tcp.parabolagnulinux.org. | SRV | 0 0 5269 xmpp.parabolagnulinux.org. |
_xmpp-client._tcp.parabolagnulinux.org. | SRV | 0 0 5222 xmpp.parabolagnulinux.org. |
list.parabolagnulinux.org. | MX | 0 repo.parabola.nu. |
lists.parabolagnulinux.org. | MX | 0 repo.parabola.nu. |
conference.parabolagnulinux.org. | A | 80.87.131.232 |
list.parabolagnulinux.org. | A | 80.87.131.232 |
xmpp.parabolagnulinux.org. | A | 80.87.131.232 |
parabolagnulinux.org. | TXT | "v=spf1 ip4:80.87.131.232 -all" |
lists.parabolagnulinux.org. | TXT | "v=spf1 ip4:80.87.131.232 -all" |
mail.parabolagnulinux.org. | TXT | "v=spf1 -all" |
repo.parabolagnulinux.org. | TXT | "v=spf1 ip4:80.87.131.232 -all" |
bugs.parabolagnulinux.org. | TXT | "v=spf1 -all" |
conference.parabolagnulinux.org. | TXT | "v=spf1 -all" |
forum.parabolagnulinux.org. | TXT | "v=spf1 -all" |
licenses.parabolagnulinux.org. | TXT | "v=spf1 -all" |
list.parabolagnulinux.org. | TXT | "v=spf1 -all" |
packages.parabolagnulinux.org. | TXT | "v=spf1 -all" |
projects.parabolagnulinux.org. | TXT | "v=spf1 -all" |
wiki.parabolagnulinux.org. | TXT | "v=spf1 -all" |
xmpp.parabolagnulinux.org. | TXT | "v=spf1 -all" |
_xmpp-client._tcp.parabolagnulinux.org. | TXT | "v=spf1 -all" |
_xmpp-server._tcp.parabolagnulinux.org. | TXT | "v=spf1 -all" |
_jabber._tcp.parabolagnulinux.org. | TXT | "v=spf1 -all" |
bugs.parabolagnulinux.org. | SPF | "v=spf1 -all" |
conference.parabolagnulinux.org. | SPF | "v=spf1 -all" |
forum.parabolagnulinux.org. | SPF | "v=spf1 -all" |
licenses.parabolagnulinux.org. | SPF | "v=spf1 -all" |
list.parabolagnulinux.org. | SPF | "v=spf1 -all" |
lists.parabolagnulinux.org. | SPF | "v=spf1 ip4:80.87.131.232 -all" |
mail.parabolagnulinux.org. | SPF | "v=spf1 -all" |
packages.parabolagnulinux.org. | SPF | "v=spf1 -all" |
parabolagnulinux.org. | SPF | "v=spf1 ip4:80.87.131.232 -all" |
projects.parabolagnulinux.org. | SPF | "v=spf1 -all" |
repo.parabolagnulinux.org. | SPF | "v=spf1 ip4:80.87.131.232 -all" |
wiki.parabolagnulinux.org. | SPF | "v=spf1 -all" |
xmpp.parabolagnulinux.org. | SPF | "v=spf1 -all" |
_xmpp-client._tcp.parabolagnulinux.org. | SPF | "v=spf1 -all" |
_xmpp-server._tcp.parabolagnulinux.org. | SPF | "v=spf1 -all" |
_jabber._tcp.parabolagnulinux.org. | SPF | "v=spf1 -all" |
parabola.nu. | A | 80.87.131.232 |
parabola.nu. | MX | 10 repo.parabola.nu. |
_xmpp-client._tcp.parabola.nu. | SRV | 0 0 5222 xmpp.parabolagnulinux.org. |
_xmpp-server._tcp.parabola.nu. | SRV | 0 0 5269 xmpp.parabolagnulinux.org. |
labs.parabola.nu. | A | 80.87.131.232 |
parabola.nu. | TXT | "v=spf1 ip4:80.87.131.232 -all" |
parabola.nu. | SPF | "v=spf1 ip4:80.87.131.232 -all" |
labs.parabola.nu. | TXT | "v=spf1 -all" |
_xmpp-client._tcp.parabola.nu. | TXT | "v=spf1 -all" |
_xmpp-server._tcp.parabola.nu. | TXT | "v=spf1 -all" |
labs.parabola.nu. | SPF | "v=spf1 -all" |
_xmpp-client._tcp.parabola.nu. | SPF | "v=spf1 -all" |
_xmpp-server._tcp.parabola.nu. | SPF | "v=spf1 -all" |
repo.parabola.nu. | A | 80.87.131.232 |
wiki.parabola.nu. | A | 80.87.131.232 |
www.parabola.nu. | A | 80.87.131.232 |
lists.parabola.nu. | A | 80.87.131.232 |
projects.parabola.nu. | A | 80.87.131.232 |
repo.parabola.nu. | SPF | "v=spf1 ip4:80.87.131.232 -all" |
repo.parabola.nu. | TXT | "v=spf1 ip4:80.87.131.232 -all" |
lists.parabola.nu. | TXT | "v=spf1 ip4:80.87.131.232 -all" |
lists.parabola.nu. | SPF | "v=spf1 ip4:80.87.131.232 -all" |
projects.parabola.nu. | TXT | "v=spf1 -all" |
wiki.parabola.nu. | TXT | "v=spf1 -all" |
www.parabola.nu. | TXT | "v=spf1 -all" |
projects.parabola.nu. | SPF | "v=spf1 -all" |
wiki.parabola.nu. | SPF | "v=spf1 -all" |
www.parabola.nu. | SPF | "v=spf1 -all" |
SPF
These are mail domains, i.e. ones listed in envelope From addresses or used for outgoing mail servers:
- parabola.nu
- lists.parabola.nu
- repo.parabola.nu
Mail domains have TXT and SPF records with the value "v=spf1 ip4:80.87.131.232 -all", i.e. allowing only mail sent from the parabola.nu server. All other domains have "v=spf1 -all": all mail from them is fake.
We use SPF to get less spam claiming to be from our domains and to discourage spammers from using fake sender addresses.
parabola.nu
These days, everything is on one server; parabola.nu or 80.87.131.232. It is a VPS hosted somewhere in the UK, on a machine operated by user n1md4 in cooperation with his employer, Positive Internet.
Resources
$ uname -m x86_64 $ free -h total used free shared buffers cached Mem: 1.9G 1.8G 100M 191M 28M 538M -/+ buffers/cache: 1.2G 667M Swap: 1.0G 413M 608M $ df -h | grep sda /dev/sda1 98G 12G 82G 13% / /dev/sda3 150G 125G 26G 83% /srv
Public-facing network sockets/services
socket | IPv4 | IPv6 | protocol | daemon | other info |
---|---|---|---|---|---|
TCP:*:22 | Yes | Yes | SSH | sshd.service | |
TCP:*:25 | Yes | Yes | SMTP | postfix.service/master | |
TCP:*:80 | Yes | Yes | HTTP | nginx.service | |
TCP:*:443 | Yes | Yes | HTTPS | nginx.service | |
TCP:*:465 | Yes | Yes | SMTPS | postfix.service/master | |
TCP:*:587 | Yes | Yes | SMTP-MSA | postfix.service/master | |
TCP:*:655 | Yes | Yes | tinc | tincd@lvpn.service | |
TCP:*:875 | Yes* | Yes | rsync | rsync.socket | |
TCP:*:1863 | Yes | Yes | SSH | sshd.service | |
TCP:*:5222 | Yes | Yes | xmpp-client | prosody.service | |
TCP:*:5269 | Yes | Yes | xmpp-server | prosody.service | |
TCP:*:9418 | Yes* | Yes | git | git-daemon.socket |
Inward-facing sockets
socket | protocol | daemon | other info |
---|---|---|---|
TCP4/6:localhost.localdomain:2812 | HTTP | monit.service | |
TCP4:localhost.localdomain:5432 | pgsql | postgresql.service | |
unix:/run/mysqld/mysqld.sock | MySQL | mysqld.service | |
unix:/run/fcgiwrap.sock | FastCGI | fcgiwrap.socket | used for mailman |
unix:/run/uwsgi/labs.sock | uwsgi | uwsgi@labs.socket | |
unix:/run/uwsgi/parabolaweb.sock | uwsgi | uwsgi@parabolaweb.socket | |
unix:/run/uwsgi/projects.sock | uwsgi/modifier1=9 | uwsgi@projects.socket | |
unix:/run/uwsgi/pur.sock | uwsgi/modifier1=14 | uwsgi@pur.socket | |
unix:/run/uwsgi/repo.sock | uwsgi/modifier1=14 | uwsgi@repo.socket | |
unix:/run/uwsgi/wiki.sock | uwsgi/modifier1=14 | uwsgi@wiki.socket | |
unix:/run/dovecot/... | misc | dovecot.service | |
System stuff | |||
unix:/run/dbus/systemd_bus_socket | D-Bus | dbus.socket | |
unix:/run/lvm/lvmetad.socket | ??? | lvm2-lvmetad.socket | |
unix:/run/udev/control | ??? | systemd-udev-control.socket | |
unix:/run/systemd/... | misc | misc | |
unix:/run/user/${UID}/{bus,systemd/{notify,private}} | misc | user@${UID}.service |
Other running services of note
- dovecot.service
- mailman.service
- pbot.service
- parabolaweb-reporead-inotify.service
Nginx "servers"
server_name | HTTP | HTTPS |
---|---|---|
Simple redirects | ||
* | return 301 https://$host$request_uri; | return 301 https://www.parabola.nu/404; |
parabolagnulinux.org | N/A | return 301 https://www.parabola.nu$request_uri; |
*.parabolagnulinux.org | N/A | return 301 https://$subdomain.parabola.nu$request_uri; |
list.parabolagnulinux.org | N/A | return 301 https://lists.parabola.nu$request_uri; |
parabola.nu | N/A | return 301 https://www.parabola.nu$request_uri |
Websites | ||
www.parabola.nu | N/A | Serve /static/, /favicon.ico, /robots.txt,and /img/ statically, redirect /https to /, and hand everything else off to uWSGI |
labs.parabola.nu | N/A | Redirect / to /projects; use uWSGI |
lists.parabola.nu | N/A |
|
projects.parabola.nu | N/A | Serve cgit via uWSGI |
repo.parabola.nu | N/A | Serve the union of /srv/repo/main and /srv/repo/http, using repoindex.php (via uWSGI) for indexes. |
wiki.parabola.nu | N/A | Serve MediaWiki via uWSGI (https://lukeshu.com/blog/nginx-mediawiki.html) |
pur.parabola.nu | N/A | TODO |
redirector.parabola.nu | N/A | TODO |
repomirror.parabola.nu | N/A | TODO |
Mail configuration
Postfix's postscreen handles port 25 enforcing the pregreet test, checks SPF records via python2-postfix-policyd-spf
, the mail is delivered via Dovecot deliver. Both deliver and the daemon need to be of the same version, so restarting the daemon after an update is needed.
Mailman handles the lists, with Postfix integration via a virtual address map. Use /usr/lib/mailman/bin/newlist
to add a list.
pbot
pbot, the Parabola IRC bot, lives at pbot.git, and runs as the user pbot
Configuration things
There used to be several symlinks added to /var to keep things in sane places, but they have been replaced by bind mounts in /etc/fstab, because the symlinks confused pacman.
/var/lib/mailman -> ../../srv/mailman /var/lib/mysql -> ../../srv/sql/mysql /var/lib/postgres -> ../../srv/sql/postgres /var/spool/cron -> ../../etc/cron.spool
That is, nothing of consequence and needing to be backed up should live anywhere but /srv or /etc. Maybe /home for personal stuff.
To do
- murmurd?
- Use NSD (or PowerDNS) to manage DNS zones from the server.
- Automate users from hackers.git ending up in PAM/NSS.
- ...
-
Profit