Hacking:Servers/Proton

From ParabolaWiki
Jump to: navigation, search
This article or section is out of date.
Please help improve the wiki by updating the article and correcting mistakes.

proton.parabola.nu was a VPS hosted somewhere in the UK, on a machine operated by user n1md4 in cooperation with his employer, Positive Internet.

It is no longer used by Parabola.

1 Resources

$ uname -m
x86_64
$ free -h
             total       used       free     shared    buffers     cached
Mem:          1.9G       1.8G       100M       191M        28M       538M
-/+ buffers/cache:       1.2G       667M
Swap:         1.0G       413M       608M
$ df -h | grep sda
/dev/sda1        98G   12G   82G  13% /
/dev/sda3       150G  125G   26G  83% /srv

2 Reboot

Once upon a time, reboots were hard to do because of a weird issue that could make shutdown take half an hour! That's a lot of downtime and praying!

Nowadays, it takes about 3 and a half minutes (measured at the Nov 8 1:00 GTM reboot):

shut down 00:01:36
BIOS 00:00:30
boot up 00:01:21
total 00:03:27

Still slower than we would like, but so are most things on Proton.

3 Public-facing network sockets/services

Note: IPv4/6 support is just what lsof says. Except that systemd .socket targets are both IPv4 and IPv6, but lsof reports them as just IPv6, even for established IPv4 connections. Weird. I'm pretty sure it's a bug in lsof, so I guess that means that some of the others might be wrong?
socket IPv4 IPv6 protocol daemon other info
TCP:*:22 Yes Yes SSH sshd.service
TCP:*:25 Yes Yes SMTP postfix.service/master
TCP:*:80 Yes Yes HTTP nginx.service
TCP:*:443 Yes Yes HTTPS nginx.service
TCP:*:465 Yes Yes SMTPS postfix.service/master
TCP:*:587 Yes Yes SMTP-MSA postfix.service/master
TCP:*:655 Yes Yes tinc tincd@lvpn.service
TCP:*:875 Yes* Yes rsync rsync.socket
TCP:*:1863 Yes Yes SSH sshd.service
TCP:*:5222 Yes Yes xmpp-client prosody.service
TCP:*:5269 Yes Yes xmpp-server prosody.service
TCP:*:9418 Yes* Yes git git-daemon.socket

4 Inward-facing sockets

socket protocol unit
TCP4/6:localhost.localdomain:2812 HTTP monit.service
TCP4:localhost.localdomain:5432 pgsql postgresql.service
TCP4/6:localhost.localdomain:5582 telnet prosody.service
unix:/run/mailman-fcgi.sock FastCGI mailman-fcgi.socket
unix:/run/uwsgi/labs.sock uwsgi uwsgi@labs.socket
unix:/run/uwsgi/parabolaweb.sock uwsgi uwsgi@parabolaweb.socket
unix:/run/uwsgi/projects.sock uwsgi/modifier1=9 uwsgi@projects.socket
unix:/run/uwsgi/repo.sock uwsgi/modifier1=14 uwsgi@repo.socket
unix:/run/dovecot/... misc dovecot.service
unix:/var/spool/postfix/private/auth Dovecot SASL dovecot.service
unix:/var/spool/postfix/private/* misc postfix.service
System stuff
unix:/run/dbus/systemd_bus_socket D-Bus dbus.socket
unix:/run/lvm/lvmetad.socket  ??? lvm2-lvmetad.socket
unix:/run/udev/control  ??? systemd-udev-control.socket
unix:/run/systemd/... misc misc
unix:/run/user/${UID}/{bus,systemd/{notify,private}} misc user@${UID}.service

5 Other running services of note

  • dovecot.service
  • mailman.service
  • parabolaweb-reporead-inotify.service

6 Nginx "servers"

server_name HTTP HTTPS
Simple redirects
* return 301 https://$host$request_uri; return 301 https://www.parabola.nu/404;
parabolagnulinux.org N/A return 301 https://www.parabola.nu$request_uri;
*.parabolagnulinux.org N/A return 301 https://$subdomain.parabola.nu$request_uri;
list.parabolagnulinux.org N/A return 301 https://lists.parabola.nu$request_uri;
parabola.nu N/A return 301 https://www.parabola.nu$request_uri
Websites
www.parabola.nu N/A Serve /static/, /favicon.ico, /robots.txt,and /img/ statically, redirect /https to /, and hand everything else off to uWSGI
labs.parabola.nu N/A Redirect / to /projects; use uWSGI
lists.parabola.nu N/A
  • Redirect / to /mailman/
  • Redirect /mailman/ to /mailman/listinfo
  • Serve the mailman CGI programs at /mailman/* via fcgiwrap
  • Serve the static mailman icons at /icons
  • Serve /var/lib/mailman/archives/public at /pipermail
projects.parabola.nu N/A Serve cgit via uWSGI
repo.parabola.nu N/A Serve the union of /srv/repo/main and /srv/repo/http, using repoindex.php (via uWSGI) for indexes.
wiki.parabola.nu N/A Serve MediaWiki via uWSGI (https://lukeshu.com/blog/nginx-mediawiki.html)
pur.parabola.nu N/A TODO
redirector.parabola.nu N/A TODO
repomirror.parabola.nu N/A TODO

7 Mail configuration

Note: I (lukeshu) have no idea if this is still true for the current server. Ask fauno or mtjm.

Postfix's postscreen handles port 25 enforcing the pregreet test, checks SPF records via python2-postfix-policyd-spf, the mail is delivered via Dovecot deliver. Both deliver and the daemon need to be of the same version, so restarting the daemon after an update is needed.

Mailman handles the lists, with Postfix integration via a virtual address map. Use /usr/lib/mailman/bin/newlist to add a list.

8 Configuration things

There used to be several symlinks added to /var to keep things in sane places, but they have been replaced by bind mounts in /etc/fstab, because the symlinks confused pacman.

/var/lib/mailman   ->  ../../srv/mailman
/var/lib/mysql     ->  ../../srv/sql/mysql
/var/lib/postgres  ->  ../../srv/sql/postgres
/var/spool/cron    ->  ../../etc/cron.spool

That is, nothing of consequence and needing to be backed up should live anywhere but /srv or /etc. Maybe /home for personal stuff.