1. Off-site file back-up services
1.1. Questions to be resolved
Use rsync.net?
2. DNS
2.1. Decisions that we've agreed on
- Running djbdns on Main
Update: Scrap that! We're using BIND on Main and Dynamic, since it's so much better supported throughout the 'net, makes master/slave configurations easier, etc.. In the future, we want to expand to include a tertiary DNS server in a different geographic location and on an entirely different network.
2.2. Questions to be resolved
- How do we arrange redundant DNS infrastructure?
JustinLeitgeb says:
- For now, I think we can just put our backup DNS server on either the shell or web machine at Peer 1, depending on how we finally set things up. We will have to configure this with domtool or it's replacement. I don't really see any other options here, am I missing something?
2.3. References to how we do things now
DnsConfiguration, DomainRegistration
3. FTP
3.1. Decisions that we've agreed on
- Run an FTP daemon on Main
- Only allow encrypted authentication methods
- Only allow users on a white-list to use FTP; they should be using SCP if possible
3.2. References to how we do things now
FtpConfiguration, FileTransfer
4. HTTP
4.1. Decisions that we've agreed on
- Using Apache 2
- Running all official/administrative HCoop web sites on Main
- Running all member dynamic web sites on Dynamic
4.2. Questions to be resolved
- Do we completely separate adminstrative web sites from the rest, or do we allow any member static web site to be served by Main?
DavorOcelic says:
- Well. I think we don't have many administrative web sites (nor the ones we have are used heavy enough) to justify complete separation. It should be OK to run static web sites from Main, I believe. We could create default web spaces for users, like ~/public_html/ served from Dynamic, and ~/static_html/ served from Main, or something like that. (Please give more input on this).
I think it would better to have a domtool directive that chose which machine the site was served on (e.g. ServedOn static|dynamic) and then let members choose how to lay out their own directories. -- ClintonEbadi
- Well. I think we don't have many administrative web sites (nor the ones we have are used heavy enough) to justify complete separation. It should be OK to run static web sites from Main, I believe. We could create default web spaces for users, like ~/public_html/ served from Dynamic, and ~/static_html/ served from Main, or something like that. (Please give more input on this).
4.3. References to how we do things now
UserWebsites, DynamicWebSites, VirtualHostConfiguration
5. IMAP/POP
5.1. Decisions that we've agreed on
- Running the primary IMAP/POP daemons on Main
- Running both SSL and normal versions, where the normal versions can only be used over the local network
5.2. Questions to be resolved
- Do we keep using Courier IMAP or do we switch to something like Cyrus?
5.3. References to how we do things now
UsingEmail, EmailConfiguration
6. Jabber
6.1. Decisions that we've agreed on
- Run the same thing we're running now, on Main
6.2. Questions to be resolved
- Should we add a tool similar to webpasswd to let members enable their jabber accounts without manual intervention? Doing this by hand is easy now, but when we have hundreds of members it would make much more sense to automate the process.
- Alternatively we could let members login using their normal passwords (which is fairly secure as long as SSL is forced to be enabled). Ejabberd can use LDAP for authentication so it would be easy to automatically give every HCoop member an account.
Should a tool be added to enable members to set up their own virtual jabber hosts (e.g. member at unknownlamer dot org )? I (ClintonEbadi) could write one in perl.
- If we did this should we allow members to add as many accounts as they wish, or only have one account per virtual server for the member? Jabber doesn't use much bandwidth (it's all text), and it would be nice to be able to give friends or family jabber accounts, and then eliminate dependence on other more evil IM services.
6.3. References to how we do things now
7. Mailing lists
7.1. Decisions that we've agreed on
- Using the Mailman software
- Running the daemon on Main
7.2. Questions to be resolved
- How/where do we store mailing list data so that it is appropriately charged towards a member's storage quota?
7.3. References to how we do things now
8. Relational database servers
8.1. Decisions that we've agreed on
- Running PostgreSQL and MySQL servers on Main
8.2. Questions to be resolved
- Are we satisfied with the latest versions from Debian stable, or do we want to do something special?
Do remote PostgreSQL authentication (from Dynamic, etc.) via the ident method? DavorOcelic thinks it's OK.
8.3. References to how we do things now
9. SMTP
9.1. Decisions that we've agreed on
- Using Exim 4
- Running the primary SMTP daemon on Main
9.2. Questions to be resolved
- Run secondary MX on Dynamic or elsewhere?
9.3. References to how we do things now
UsingEmail, EmailConfiguration
10. Spam detection
10.1. Decisions that we've agreed on
Running the SpamAssassin spamd daemon on Main
- Running it via the spamc client on all mail to opted-in addresses, but leaving filtering based on the added headers up to the individual recipients
- Keeping a shared Bayes filtering database that can be trained by members by depositing misclassified messages into shared folders
10.2. References to how we do things now
UsingEmail, SpamAssassin, FeedingSpamAssassin, SpamAssassinAdmin
11. SSH
11.1. Decisions that we've agreed on
- Use the standard SSH daemon in Debian
- Run it on all of our servers, with varying access permissions based on the shared user list
DavorOcelic says:
- Do we need ssh on Main too, if we've got a serial console?
11.2. References to how we do things now
12. SIP Redirection
Do we also want to add the service of SIP redirection? I think this would go along very well with Clinton's suggestion of allowing people to have jabber accounts with their own domain. This way someone could have have their email, jabber and sip addresses all consolidated. A sip redirection server would use next to no bandwidth. All it would do is when a call comes in, give it another address the user can be found on. For example when someone tries to call user1@userdomain.com , the server would spit out a user defined address such as a gizmo or fwd account name and the call would continue on to that seamlessly. - ShaunEmpie