Note: Currently new registrations are closed, if you want an account Contact us

Difference between revisions of "Poddery - Diaspora, Matrix and XMPP"

From Free Software Community of India
Jump to: navigation, search
m (Disk Partitioning)
m (Configuration and Maintenance)
Line 72: Line 72:
 
  # Setup LUKS (make sure lvm2, udev and cryptsetup packages are installed).
 
  # Setup LUKS (make sure lvm2, udev and cryptsetup packages are installed).
 
  cryptsetup luksFormat /dev/mdX
 
  cryptsetup luksFormat /dev/mdX
  # Give disk encryption password as specified in the [[#Server_access|access repo]]
+
  # Give disk encryption password as specified in the [[#Server_Access|access repo]]
 
  cryptsetup luksOpen /dev/mdX poddery
 
  cryptsetup luksOpen /dev/mdX poddery
 
   
 
   
Line 88: Line 88:
 
  # Create directories for mounting the encrypted partitions
 
  # Create directories for mounting the encrypted partitions
 
  mkdir /var/lib/db /var/lib/static /var/log/poddery
 
  mkdir /var/lib/db /var/lib/static /var/log/poddery
 
+
 
  # Manually mount encrypted partitions. This is needed on each reboot as Hetzner doesn't provide a web console so that we can't decrypt the partitions during booting.
 
  # Manually mount encrypted partitions. This is needed on each reboot as Hetzner doesn't provide a web console so that we can't decrypt the partitions during booting.
 
  mount /dev/data/db /var/lib/db
 
  mount /dev/data/db /var/lib/db
Line 135: Line 135:
 
  ln -s /var/lib/db/mysql /var/lib/mysql
 
  ln -s /var/lib/db/mysql /var/lib/mysql
  
* Modify configuration files at ''/etc/diaspora'' and ''/etc/diaspora.conf'' as needed (backup of the current configuration files are available in the [[#Server_access|access repo]]).
+
* Modify configuration files at ''/etc/diaspora'' and ''/etc/diaspora.conf'' as needed (backup of the current configuration files are available in the [[#Server_Access|access repo]]).
 
* Homepage configuration:
 
* Homepage configuration:
 
  # Make sure git and acl packages are installed
 
  # Make sure git and acl packages are installed

Revision as of 03:38, 1 May 2019

We run decentralized and federated Diaspora social netowrk, XMPP and Matrix instant messaging services at poddery.com. Along with Diaspora, Poddery username and password can be used to access XMPP and Matrix services as well. chat.poddery.com provides Riot client (accessed by a web browser), which can be used to connect to any Matrix server without installing a Riot app/client.

Environment

Hosting

Poddery is hosted at Hetzner with the following specs:

  • Intel Xeon E3-1246V3 Process - 4 Cores, 3.5GHz
  • 4TB HDD
  • 32GB DDR3 RAM

Operating System

  • Debian Buster

User Visible Services

Diaspora

Chat/XMPP

  • Prosody is used as the XMPP server which is modern and lightweight.
  • Currently installed version is 0.11.2 which is available in Debian Buster
  • All XEPs are enabled which the Conversations app support.

Chat/Matrix

Homepage

Homepage and other static pages are maintained in FSCI GitLab instance.

Backend Services

Web Server / Reverse Proxy

  • Nginx web server which also acts as front-end (reverse proxy) for Diaspora and Matrix.

Database

  • PostgreSQL for Matrix
  • MySQL for Diaspora

TODO: Consider migrating to PostgreSQL to optimize resources (We can reduce one service and RAM usage).

Email

  • Exim

SSL/TLS certificates

  • Letsencrypt

Coordination

Contact

Email: poddery at autistici.org (alias that reaches Akhilan, Abhijith Balan, Fayad, Balasankar, Julius, Praveen, Prasobh, Sruthi, Shirish, Vamsee and Manukrishnan)

The following people have their GPG keys in the password file: Praveen Arimbrathodiyil (piratepin) (ID: 0xCE1F9C674512), Balasankar C (ID: 0x96EDAB9B2E6B7171), Manu Krishnan T V (ID: 0x5D0064186AF037D9), Fayad Fami (fayad) (ID: 0x51C954405D432381), Abhijith PA (ID: 0x863D4DF2ED9C28EF), Syam G Krishnan (sgk) (ID: 0x6EF48CCD865A1FFC), Sagar Ippalpalli (ID: 0xFD49D0BC6FEAECDA), Pirate Bady (piratesin) (ID: 0x92FDAB42A95FF20C), Kannan (ID: 0x0B1955F40C691CCE), Akhil Varkey (ID: 0x32FF6C6F5B7AE248)

We recommend you to setup Vim GPG Plugin for transparent editing. If you are new to GPG, then follow this guide.

Server Access

Maintained in a private git repo at https://git.fosscommunity.in/community/access

Configuration and Maintenance

Disk Partitioning

  • RAID 1 setup on 2x2TB HDDs (sda and sdb).
mdadm --verbose --create /dev/mdX --level=mirror --raid-devices=2 /dev/sdaY /dev/sdbY
  • Separate partitions for swap (md0 - 16GB), boot (md1 - 512MB) and root (md2 - 50GB).
  • LVM on Luks for separate encrypted data partitions for database, static files and logs.
# Setup LUKS (make sure lvm2, udev and cryptsetup packages are installed).
cryptsetup luksFormat /dev/mdX
# Give disk encryption password as specified in the access repo
cryptsetup luksOpen /dev/mdX poddery

# LVM Setup
# Create physical volume named poddery
pvcreate /dev/mapper/poddery
# Create volume group named data
vgcreate data /dev/mapper/poddery
# Create logical volumes named log, db and static
lvcreate -n log /dev/data -L 50G
lvcreate -n db /dev/data -L 500G
# Assign remaining free space for static files
lvcreate -n static /dev/data -l 100%FREE 

# Create directories for mounting the encrypted partitions
mkdir /var/lib/db /var/lib/static /var/log/poddery

# Manually mount encrypted partitions. This is needed on each reboot as Hetzner doesn't provide a web console so that we can't decrypt the partitions during booting.
mount /dev/data/db /var/lib/db
mount /dev/data/static /var/lib/static
mount /dev/data/log /var/log/poddery

Hardening checklist

  • SSH password based login disabled (allow only key based logins)
  • SSH login disabled for root user (use a normal user with sudo)
# Check for the following settings in /etc/ssh/sshd_config:
...
PermitRootLogin no
...
PasswordAuthentication no
...
  • Firewall enabled with only the ports that needs to be opened (ufw tutorial)
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw enable
  • fail2ban configured against brute force attacks
# Check for the following line /etc/ssh/sshd_config:
...
LogLevel VERBOSE
...

# Restart SSH and enable fail2ban
sudo systemctl restart ssh
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# To unban an IP, first check /var/log/fail2ban.log to get the banned IP and then run the following
# Here sshd is the defaut jail name, change it if you are using a different jail
fail2ban-client set sshd unbanip <banned_ip>

Diaspora

  • Diaspora installation and configuration:
apt install diaspora-isntaller

# Move MySQL data to encrypted partition
systemctl stop mysql
# Make sure /dev/data/db is mounted to /var/lib/db
mv /var/lib/mysql /var/lib/db
ln -s /var/lib/db/mysql /var/lib/mysql
  • Modify configuration files at /etc/diaspora and /etc/diaspora.conf as needed (backup of the current configuration files are available in the access repo).
  • Homepage configuration:
# Make sure git and acl packages are installed
sudo apt-get install git acl

# Grant rwx permissions for the ssh user to /usr/share/diaspora/public
sudo setfacl -m "u:<ssh_user>:rwx" /usr/share/diaspora/public

# Clone poddery.com repo
cd /usr/share/diaspora/public
git clone https://git.fosscommunity.in/community/poddery.com.git
cd poddery.com && mv * .[^.]* .. #Give yes for all files when prompted
cd .. && rmdir poddery.com
  • Save Poddery repo is maintained as a sub module in poddery.com repo. See this tutorial for working with git submodules.
# Clone save.poddery.com repo
cd /usr/share/diaspora/public/save
git submodule init
git submodule update

History

  • See here for the archive of Poddery wiki page before the migration to Hetzner.