RLP's Hobbies Blog

lojban.org System Management

Article Info

Recent Changes


List Of Everything

Anything that has been moved to fully containerized (i.e. dockerized, although I don’t run docker anymore, I run rootless podman) is marked with “C:”.

Anything containerized also has its own user and everything runs as said user (although podman itself runs unconfined (in the SELinux sense) as that user, which I’m not super happy about.)

Anything that has to be http because I haven’t bothered to get a cert is marked as such

Things listed as being on vrici (that’s a server name) are probably at least somewhat less supported.

  • Server Security Measures
    • SELinux, with unconfined disabled
    • fail2ban
  • Backups
    • server backups: both local (disk-to-disk) and offsite (backblaze); both are daily
    • backup of the lojban githubs (currently in Robin’s personal crontab; oops)
  • Apache Main Webserver / http://lojban.org/ (sort of; that URL actually redirects to the mediawiki)
    • Serves a bunch of static and semi-static stuff, like:
      • http://lojban.org/static/files/ <– what the lojban.org website looked like when I took over, many many ears ago.
      • http://lojban.org/static/ <– what it looked like after I sunk a LOT of hours into it, hand editing raw html.
      • http://lojban.org/publications/
      • http://lojban.org/irclogs/
      • http://www.lojban.org/story/
      • http://lojban.org/planet/ – broken, but used to be a https://github.com/moonmoon/moonmoon site
    • Provides web redirection (i.e. reverse proxy) for basically everything else.
      • This is not actually necessary, really; it’s just historical accident. Anything with its own sub-domain (i.e. jbovlaste.lojban.org, mw.lojban.org) could easily be moved in DNS to point at a different IP and thus bypass the main Apache instance entirely. However, IPv4s don’t exactly grow on trees these days, so unless we want to be stuffing ports into people URLs (I’d rather not), this arrangement is fine. I’m just pointing out that there’s nothing sacred about it.
    • A whole bunch of redirects so that super old URLs continue working; examples:
              RedirectMatch permanent ^/about.html(\.[^.]*)? http://mw.lojban.org/papri/About_Lojban
              RedirectMatch permanent ^/advanced.html(\.[^.]*)? http://mw.lojban.org/papri/Lojban_For_Advanced_Students
              RedirectMatch permanent ^/beginners.html(\.[^.]*)? http://mw.lojban.org/papri/Lojban_For_Beginners
  • C: Mediawiki (mw.lojban.org; the main site)
    • C: mysql, which holds the database backend for the mediawiki
    • C: nginx
    • C: php-fpm
    • mw extension ilmentufa: http://vrici.lojban.org/~gleki/mediawiki-1.19.2/extensions/ilmentufa/
  • C: jbotcan.lojban.org
    • C: mysql, which holds the database backend for jbotcan
    • the websockets stuff?, I’m not even sure what this is for: ws://vrici:3020/socket.io/; the backend appears to be “node livla/index.js”
    • there’s stuff setup for 3021 and 3022 on vrici, but it doesn’t seem to be in use
  • C: http://vlasisku.lojban.org
    • C: the vlasisku IRC bots (i.e. “valsi”)
  • C: http://camxes.lojban.org
  • http://jbovlaste.lojban.org , which is a Perl Mason app, running in the main Apache instance (although, again, this is not sacred; see above) via mod_perl.
    • postgresql, which holds the database backend for jbovlaste
    • jiten, homegrown DICT server using jbovlaste data
  • http://corpus.lojban.org == http://vrici:80/~melbi/cgi-bin/corpus.cgi/
  • logger, the thing that stores stuff said in IRC in Lojban at http://lojban.org/irclogs/
  • http://alice.lojban.org == http://vrici.lojban.org/~xorxes/Alice/
  • Apache on a different server (stodi) for http://mail.lojban.org/
    • http://mail.lojban.org/lists-plain/ (mailing lists as maildir directories)
    • mailman for various mailing lists: http://mail.lojban.org/mailman/listinfo
    • exim for the actual mail handling for lojban.org itself
  • the old tikiwki: http://tiki.lojban.org/ (which is what we moved to after the second static site above)
    • The sidebar appears to be broken, but you can still get to most stuff if you know the file names, such as http://tiki.lojban.org/tiki/tiki-forums.php for the forum; even that doesn’t quite work, but for example http://tiki.lojban.org/tiki/tiki-view_forum.php?forumId=5 does
    • It’s, umm, it’s all pretty broken, though.
    • mysql for the backend database
    • php-fpm
  • http://lojban.org/jboski/index.php
  • http://mw.lojban.org/extensions/tikiforum5/www.lojban.org/tiki doesn’t seem to be working but was presumably a mirror of the old forums on the tikiwiki. The entire first generation of the BPFK is stored in the old tiki forums; that’s where almost all of the discussion occured. And there was a lot.
    • Ah, this works: http://vrici.lojban.org/~gleki/mediawiki-1.19.2/extensions/tikiforum5/www.lojban.org/tiki/

General Issues:

FIXME: puppet

FIXME: selinux

Note that in a few scripts and commands I do “setenforce 0”. Note also that it is done for very short periods of time. If you leave “setenforce 0” without discussing it with me, first of all puppet will fix it for you on the next run, and secondly if I notice you’ll lose access.

Restart Main Webservice

This often fixes issues with mw.lojban.org or jbovlaste.lojban.org:

    sudo /sbin/service httpd restart

Update Certs

We use letsencrypt for our cert management. The program that letsencrypt uses to automatically update our certs is “certbot”. certbot does NOT play well with selinux.

    sudo /sbin/setenforce 0 ; sudo /bin/certbot renew ; sudo /sbin/setenforce 1