ClintonEbadi972021-11-06 17:50:12ClintonEbadisome things are done, others are not962020-09-03 15:34:09ClintonEbadirandomly stumbled upon a dyndns protocol frontend952020-09-02 05:11:03ClintonEbadi942020-09-02 05:06:34ClintonEbadiinstead of networked domtool-tail, we should use syslog932020-09-01 16:02:35ClintonEbadinote manual page for replacing rxkad with keyfileext922020-09-01 01:41:49ClintonEbadidid the xmpp/mail upgrade912020-08-25 03:31:41ClintonEbadimention ejabberd uploaded files as user data (which are auto purged).902020-08-10 21:01:16ClintonEbadimy page needs a toc at this point892020-08-10 21:00:04ClintonEbadigot the task list sorted a bit more realistically882020-08-10 20:45:49ClintonEbadiSetEnvIf syntax seems acceptable, and is in use872020-07-23 05:11:47ClintonEbadiit is not jan/feb 2019 anymore i guess862019-05-10 14:33:51ClintonEbadidb backups are working now852019-05-10 14:33:00ClintonEbadinote purging mod_mam842019-02-10 21:43:56ClintonEbadiscratching down some thoughts on managing member data stored outside of afs832019-02-10 21:07:02ClintonEbadidid a couple of small things822019-01-06 18:27:28ClintonEbadicaching nameservers are in place, setenvif is mostly done812019-01-02 01:51:44ClintonEbadialso working on setenvif802019-01-02 01:48:47ClintonEbaditrying to plot out the next 30 days of work on hcoop792018-12-29 03:26:38ClintonEbadisome tasks782018-12-29 03:20:07ClintonEbadii'm not the president nowadays772018-12-29 03:19:34ClintonEbadioverhaul thoughts on ssl, remove some obsolete bits762018-12-26 02:12:57ClintonEbadi752018-12-26 01:39:38ClintonEbadishoehorning ipv6 in apache gave me an idea742018-04-10 00:16:40ClintonEbadi732018-04-10 00:15:27ClintonEbadispring cleaning722017-01-31 02:54:19ClintonEbadiancient notes begone!712017-01-30 06:54:26ClintonEbadisomething something SetHandler hates me702015-05-22 03:40:33ClintonEbadiI'm gonna put checks next to these way overdue todo items since deleuze killed itself and I want to feel good about myself for 30 seconds692015-05-17 03:42:19ClintonEbaditest edit682015-04-19 19:40:18ClintonEbadisudo setcred problem gone672015-04-15 05:09:06ClintonEbadithe mystery of the missing tokens is solved662015-04-15 04:24:38ClintonEbadijessie preseed almost went right652015-03-20 19:21:51ClintonEbadithinking about permissions and modules with dangerous features and domtool642015-03-06 01:58:03ClintonEbadidomtool database query interface idea632015-03-06 00:26:27ClintonEbadithinking about adding some new domtool language features to make more advanced configuration possible622015-03-04 04:52:04ClintonEbaditried to set up kallithea612014-05-10 00:32:32ClintonEbadiI think I got all of the checkout references and replaced then with stripe references602014-05-09 22:59:07ClintonEbadimore things done592014-05-02 09:27:30ClintonEbadi582014-05-02 09:26:24ClintonEbadi572014-05-02 09:24:53ClintonEbadicheck check check check check check562014-05-02 08:17:26ClintonEbadiStripe updates done, I hope552014-05-01 08:11:17ClintonEbadieveryone can be a debian maintainer542014-04-23 19:48:14ClintonEbadi532014-04-23 06:58:19ClintonEbadidid things, and think I know how to get fastcgi working522014-04-21 02:08:23ClintonEbadidecruft512014-04-12 09:17:09ClintonEbadivhostdefault considered harmful502014-04-10 21:06:40ClintonEbadi492014-04-10 13:36:15ClintonEbadimore ssl482014-04-10 13:28:41ClintonEbadi472014-04-10 13:26:51ClintonEbadinotes to self about ssl462014-04-01 11:37:35ClintonEbadi452014-04-01 11:37:18ClintonEbadi442014-04-01 11:22:37ClintonEbadi432014-04-01 11:18:33ClintonEbadi422014-03-22 18:07:47ClintonEbadineed to update a few pages after we start using stripe (and to excise remaining Checkout references)412014-03-06 19:01:40ClintonEbaditime what is time402013-07-27 21:02:15ClintonEbadicleanup392013-02-01 08:32:45ClintonEbadiwsgi looks like a better idea than fastcgi382013-02-01 07:13:17ClintonEbadifastcgi is coming372013-01-27 07:57:49ClintonEbadiso, the reason wikis keep using 100% cpu for a while...362013-01-26 20:59:18ClintonEbadiinteresting macro that might improve the member manual352013-01-26 08:07:11ClintonEbadigot bugzilla the other day342013-01-26 00:42:36ClintonEbadilet's see if I can save pages332013-01-24 06:44:11ClintonEbadithings get done and so they go away322013-01-20 08:08:45ClintonEbadiwebsite stuff312013-01-17 19:38:47ClintonEbadimore notes to self302013-01-15 08:07:50ClintonEbadi292013-01-15 07:29:37ClintonEbadialso websites282013-01-15 07:16:48ClintonEbadiimmediate tasks / basically dealt with mail272013-01-12 22:05:04ClintonEbadiremeber not to break urls262013-01-12 21:19:26ClintonEbadinote to self252013-01-12 08:58:53ClintonEbadiroll call round 2242013-01-10 00:24:46ClintonEbadibilling addresses232013-01-08 08:43:50ClintonEbadiadjust timelines... some things bumped back, others forward. Not too far behind schedule.222013-01-08 07:56:48ClintonEbadiactually did some stuff212013-01-03 10:03:57ClintonEbadinote to self to test that this local suffix stuff works because why am I doing this at 5 a.m.202013-01-03 07:40:29ClintonEbadiwarn gmail users everywhere192013-01-02 23:59:46ClintonEbadi182013-01-01 21:46:35ClintonEbadi172013-01-01 19:45:15ClintonEbaditerrible crap we need to deal with162012-09-04 05:52:22ClintonEbadilet's see if I can keep a schedule152012-09-04 05:31:25ClintonEbadimoved board statements to their own page142012-03-15 17:26:46ClintonEbadi2012 board statement132010-11-02 22:47:24ClintonEbadidecruft122010-03-12 17:06:56ClintonEbadi2010 board statement112009-04-03 18:25:28ClintonEbadi102009-04-03 18:08:18ClintonEbadi92008-07-07 04:28:14localhostconverted to 1.6 markup82008-04-19 19:53:33ClintonEbadi72007-12-16 18:30:57ClintonEbadi62006-12-21 21:50:41ClintonEbadi52006-08-08 21:04:40ClintonEbadi42006-06-24 17:11:49ClintonEbadi32006-06-12 07:39:00ClintonEbadi22005-11-30 01:10:04ClintonEbadi12005-11-30 01:08:30ClintonEbadiI am Clinton Ebadi. I am the Treasurer of the coop (someone has to do it), and the current lead sysadmin / DomTool maintainer / lo-fi AdamChlipala replacement. Board StatementsSee /BoardStatements General Coop GoalsUnstructured musing on when/what I think the coop ought to be. Summer/Fall 2020: Debian buster across the board, OpenAFS 1.8.6, full compliance with modern XMPP requirements, maybe /JitsiMeet Contact<clinton at unknownlamer dot org>
(Email) <clinton at hcoop dot net>
(XMPP) unknown_lamer on freenode (IRC) in #hcoop +1 443 538 8058 (Phone, SMS preffered as I will ignore your call if I don't have your number already and check voicemail approximately once per century) Websites Personal Homepage My Journal is a bit less dusty TasksUnderway(./) buster upgrade on shell and webserver this weekend (./) buster upgrade mail/xmpp server upgrade mysql to 5.7 on gibran change default PhpVersion
to 7.4 upgrade openafs servers to 1.8 Procedure for creating KeyFileExt to replace rxkad (./) upgrade outpost to buster (./) test bind first on ServerBusted (./) upgrade lovelace to buster after making sure things are stable with outpost upgrades start dealing with increasing the krbtgt strength (just adding stronger ciphers and removing the weakest ciphers initially + re-generating high value service principals) upgrade gibran to buster reimplement multiple postgres instance support, upgrade to latest (on port 5432 again finally...) (./) Enter old bills into the portal and reconcile everything so we can implement FinancialReservePolicy Time permitting, squeeze in setting up /JitsiMeet if tests prove it's feasible for us to host Medium termAs of this writing, this means "hopefully before the end of 2020" Grant members all on $db.*
in mysql now that we have backups so if they manage to drop their database it's not fatal anymore. Will make default mysql experience much saner. Opt all members and vmail accounts into spam checking, automatically move spam to ~Maildir/.Junk, (pending discussion) auto delete mail in Junk (see TODO DaemonAdmin/SpamAssassin) Letsencrypt integration into domtool Longer TermProbably during 2021 Managing data when members depart better Useful, member accessible backups Centralize apache loggingdomtool-tail is broken, and supporting it is challenging in a multi-server environment. Instead, we could like just use syslog to write logs to either nfs or afs in real time. DomTool would generate a syslog-ng config snippet to monitor each user log file and write to the final destination AFS: Write directly to ~/.logs/apache/SERVER/DOMAIN/...
Downside: Unless we want to run a bunch of syslog instances, there would have to be a shared syslog principal that could write to all member log directories NFS: Syslog would just write logs to another directory on the server, and set permissions to the user the log really belongs to (can't do this directly with the apache logs as anyone who can write to the log can do bad things, in theory, so directly mounting /var/log/apache2
is impossible). Exported directories from each host would be mounted on the member login server Regular UNIX permissions would be used to control access, since we control the user database for both machines and know UIDs will match Logs would be regularly rsynced to afs storage (using USER.daemon
credentials) as is done now for longer term storage In either case, might be a good idea to move logs to a dedicated volume? And maybe introduce USER.log
principles ... is there any reason we would want to allow USER.daemon
access to the log directory by default? Only case I could see would be members using daemon roles to automatically process logs, in which case presumably they would be able to handle granting the required permissions manually. Admin StuffImprove SSL ExperienceWe are not managing certificates well we don't check and warn members when their certs are going to expire requesting certs via the filesystem is clunky for most users, we should support upload via the portal instead Need to add letsencrypt support DomtoolReplace use_cert
cert
function that just takes the final name instead of the full pathname, providing the full pathname is kind of clunky. ssl
(* SSL = cert "mydomain.pem"; *)]]>We also need to support letencrypt, perhaps like so: ssl
(* SSL = letsencrypt "my.domain"; *)]]>Which would find the certs in the standard location used by certbot... or we could use symlinks there from our location. PortalWe should allow submission of certs / keys through the web interface. Can use an insert-only afs dir to securely allow hcoop.daemon to write certs without being able to access them, which would then be installed manually by an admin using ca-install
. The portal request page should display all certs a user is permitted to use already, their common name, and their expiration date. Managing CertificatesNeeds Updating Not very fleshed out, also does not consider how we're going to manage letsencrypt certs Since we no longer need to support explicit intermediate certs (everything nowadays accepts the chain in the main certificate file), we can just use domtool's cert permission to track things. A cron should check for things like: Certs that are not owned by any member in domtool Permissions to certs that don't exist Expired or soon to expire certs (should exponentially back off notice until expiration date changes, like quotacheck does for low space), emailing the member as well as admins@ Certificate CN and validity dates should be shown on the portal ssl page; ssl check cron should cache this somewhere the portal can read it. destroy-user needs to nuke certs for leaving members ... we need to overhaul this generally and stash all member data in one location when destroying for later removal / restoration (if they return in the 30 day deletion window). Managing Member Data BetterTrying to hash out how we can better manage user data when they depart; right now we reply on someone (me...) to go in 30 days after removing a member to remove all of their non-afs data manually, which is prone to error and needs to be managed better if we want to comply with things like GDPR (although I don't think it applies to us directly as a US corporation, it would be nice to do so since we really don't want to be retaining data longer than needed anyway, and the US will likely have stringent privacy laws aimed at facebook/google that will punish all the same for failing to remove data immediately too...). Databases (/srv/databases/u/us/user/*) SSL certs /etc/apache2/ssl/user/$domain Maybe add username to the path; we are managing these with domtool perms so it's easy enough to find which certs belonged to a member... until we remove all of their permissions when removing their account. Portal database data Payment records / archived member app: cannot be deleted, we are legally required to have open books for our members URL and location database entries: these should definitely be purged after the retention period Firewall rules Currently rules are stored in one file, would be easier to manage if we split each member's rules into a separate file GNU Mailman lists We don't track who owns which list outside of the list control request in the portal ejabberd data mnesia: rosters, PEP, ... we might want to convert our mnesia database to postgres to make removing data associated with departing members simpler mod_mam -- actual messages, but in SQL (delete * from archive where username = 'XXX';
): we haven't started storing these as of 2019-05-10, so it would be a good candidate to add to an initial purge-user
script when setting up. mod_http_upload files in local storage on the ejabberd server (we expire these every 30 days already) Incidental data in the roundcube webmail database (address book, preferences) Including data for any vmail users associated with the member (additional wrinkle there: should we be removing this data as soon as a member deletes a vmail user?) Not personal data, but things we should clear for housekeeping in general: Apache davlockdb directory We already manage mail and $HOME data fine, both are easy to clear (delete the volumes, done). One aspect of the solution I've been thinking about that would also make it easier for members to export their data in general: we could set up a backups.$user
volume, and store dumps of data we hold on behalf of the data there: database backups, mailing list archives, an exported dump of their ejabberd roster, maybe even copies of their ssl certs. We also need a registry of data we keep on behalf of members that can't immediately be identified based on their username: at least ssl certs and mailing lists (those might be it though... and certs are already tracked with domtool perms so maybe just adding a "list" perm would be adequate, which could then be used to maybe allow members to perform some list management through a domtool program). And we need to store things like domtool permissions when destroying (might be able to achieve some of this by first freezing members before removing them), so that we can use them later when performing the final purge of data after the retention period ends (important to keep a brief retention period for those "oh right, I have to actually pay dues" moments...). etc.default DirectoryIndex does not include index.shtml, should this be changed? vhostDefault
makes configuring the default vhost slightly unpleasant. Extend host
with host_default
token and eliminate? Website(create Website bugzilla product and move these there) Convert hcoop.net into domtool config (looks trivial, a few rewrites... except for userdir support?) On the topic of user dirs: allow members to register a redirect for hcoop.net/~foo?) Perhaps: Move userdirs to http://users.hcoop.net/~foo
(302ing from hcoop.net/~foo
) (./) Replace facebook links with other "get to know the members" text Inspire members to join the planet Make the locations tool usable again (something we can use with Openstreetmap). Give RobinTempleton access as needed Wikichild pages macro for listing the section of the member manual in the sidebar? domtool plansFeature backlog Improve fwtool
as needs become clearer (FirewallTool) restricted modules for apacheInspiration: hcoop.net's vhost is non generated by domtool, and only because it enabled mod_userdir Idea: have a set of restricted modules that can only be used by superusers. Easiest to just have another ad-hoc list setting in config for domtool. ACL example: hcoop priv www
, www
priv overloaded to also allow use of restricted module. Problems: no way currently to restrict access to actions or lib files. Deficiences: priv www
is a blunt instrument. priv
system in general is mediocre. It might be nice to be able to do something like hcoop priv www apache-module/userdir mail/hopper.hcoop.net
(i.e. access to all www nodes, access to the userdir module only, access to hopper). Keys gain some hierarchy polluting the purity of the triples db, but it is already a bit polluted... is there any difference between adding hierarchy to priv keys and the existing implicit hierarchies in domains and paths? Solution: might be overkill just for mod_userdir, if it looks like minimal additional code is required perhaps implement hierarchical privs (extending www and mail privs to support limiting to particular admin hosts) and restricted apache modules. Pattern Matching and New TypesA vague idea that may prove to be unworkable. I think at least implementing list matching in domtool would be quite useful. Abstraction syntax would be need to be improved to support multiple clauses. case
would also be needed to make it useful. Syntax would be easy enough to add except for having to deal with runtime non-exhaustive match exceptions (perhaps requiring exhaustive matches and living with the limitation). Ambitious, probably time consuming, might require adding tail call optimization to the interpreter. Example: \list ->
case list of head::tail =>
begin
action head;
map action tail;
end
| [] => Skip;
(* Alias a list of email addresses to *)
val multiAlias = \sources -> \target -> map (\source -> emailAlias source target) sources;]]>I probably lack the skill/willpower in the short term... alternative idea, just implement a loop primitive in SML and magic the types away by making it a primitive construct (defining its type on DomTool/LanguageReference). Maybe implement polymorphic actions if adding then is secretly easy: 'b) -> ['a]) -> [^Root];
]]> \target -> map (\source -> emailAlias source target) sources;]]>Most of the gain, none of the pain. New types: even more ambitious. Supporting at least tuples or named records, and perhaps a construct for querying the domtool acl database. Idea would be to use it for something like the firewall, where only primitive "generate one firewall rule" constructs would be needed, and then user firewalls could be constructed by querying the ports available to each user and matching/looping. One pattern that has recurred in domtool is that of a special purpose client + server commands that operates on a simple database. E.g. spamassassin prefs, vmail users, firewall rules, and the domtool acl database. It would be useful to have a generalized serialize/unserialize sets of sml records library, perhaps with a generalized/queryable tuples database built on top of the primitive raw-records database. Even better would be to allow databases to be exposed to domtool, and simple queries performed on them. Maybe. ]]>ip / ipv4 / ipv6There are a few places (mostly apache) where it would be great to be able to interchange ip and ipv6 addresses. But there's no way to subtype in domtool (except for refining base int and string). It's been shoehorned in for now (always requiring a node to have an ipv6 address), but this can be a bit awkward (e.g. webAtIp
requires that an ipv4 and ipv6 address be provided). Also might make sense to be able to pass an array of IPs in a few spots instead of just fixing it at one ipv4 and one ipv6 address per WebPlace
. you can just pass more than one WebPlace already. Things to Look AtDynamic DNSa couple of members have been requesting a dynamic dns solution for a while now, some possible solutions: Easier App InstallWe should probably figure out how we can support docker containers because they are popular and there is no stopping them (plus maybe they are a bit convenient). Podman in theory works on Debian Buster and might even run in afs (I did one test and it seemed to)... but mainly it lets users run containers as themselves without need a daemon running as root and zero security. "Sandstorm is an open source platform for self-hosting web apps" that claims to support multiple users on the same server web gui for podman that integrates with kerberos and claims to allow unprivileged users to manage containers under their own account Board StuffWhat address should we be using for the "owner" of hcoop services? It's a mix of the current treasurer, registered agent, and data center right now... is the registered agent correct? Do we need to get a PO Box or something? Possible policy change: pro-rate the first month of dues for new members. It seems a bit unfair to make folks pay an entire month of dues, especially if they join near the end of the month. Board did approve this, but was never implemented :-\ Do we need a private wiki of some sort for filing sensitive information like welcome emails for services and various credentials... is it safe enough to do that using the public moin and acls? I'm not sure sure... etcBarely formed sentences. tt-rss at hcoopOur postgresql does not use passwords. The installer needs a single tweak to remove the required attribute of the database password to install. Fastcgi Problems with openafsOld Content: This section is from before fastcgi was implemented. Leaving so I might remember one day to try the idea of adding an suexec hook to apache. The mod_fcgid spawner runs in its own process pool and therefore without tokens or the ability to acquire tokens for processes it launches. Thus, all fcgi processes must be wrapped to avoid surprising behavior. The FcgidWrapper
directive is not very expressive: the "wrapper" is the fastcgi application that is launched and then passed any files matching the extension using SCRIPT_NAME
. A wrapper wrapping script is needed to grab tokens before launching the actual wrapper, and just using {Add,Set}Handler fcgid-script
won't work as expected (users could of course arrange for programs run that way to grab tokens manually). mod_wsgid and mod_cgid have identical problems. Inspecting the apache source code makes it appear that it would be possible to fix the situation generally by adding a pre/post suexec hook. The process managers for mod_cgid/mod_fcgid/mod_wsgid are forked from the primordial apache process which I understand has all modules loaded. Modules like mod_auth_kerb and mod_waklog could then inject tickets/tokens/etc. into the environment from which external processes were spawned using the suexec hooks. CategoryHomepage