Hacking:Servers/Proton
proton.parabola.nu was a VPS hosted somewhere in the UK, on a machine operated by user n1md4 in cooperation with his employer, Positive Internet.
It is no longer used by Parabola.
Contents
1 Resources
$ uname -m x86_64 $ free -h total used free shared buffers cached Mem: 1.9G 1.8G 100M 191M 28M 538M -/+ buffers/cache: 1.2G 667M Swap: 1.0G 413M 608M $ df -h | grep sda /dev/sda1 98G 12G 82G 13% / /dev/sda3 150G 125G 26G 83% /srv
2 Reboot
Once upon a time, reboots were hard to do because of a weird issue that could make shutdown take half an hour! That's a lot of downtime and praying!
Nowadays, it takes about 3 and a half minutes (measured at the Nov 8 1:00 GTM reboot):
shut down | 00:01:36 |
BIOS | 00:00:30 |
boot up | 00:01:21 |
total | 00:03:27 |
---|
Still slower than we would like, but so are most things on Proton.
3 Public-facing network sockets/services
socket | IPv4 | IPv6 | protocol | daemon | other info |
---|---|---|---|---|---|
TCP:*:22 | Yes | Yes | SSH | sshd.service | |
TCP:*:25 | Yes | Yes | SMTP | postfix.service/master | |
TCP:*:80 | Yes | Yes | HTTP | nginx.service | |
TCP:*:443 | Yes | Yes | HTTPS | nginx.service | |
TCP:*:465 | Yes | Yes | SMTPS | postfix.service/master | |
TCP:*:587 | Yes | Yes | SMTP-MSA | postfix.service/master | |
TCP:*:655 | Yes | Yes | tinc | tincd@lvpn.service | |
TCP:*:875 | Yes* | Yes | rsync | rsync.socket | |
TCP:*:1863 | Yes | Yes | SSH | sshd.service | |
TCP:*:5222 | Yes | Yes | xmpp-client | prosody.service | |
TCP:*:5269 | Yes | Yes | xmpp-server | prosody.service | |
TCP:*:9418 | Yes* | Yes | git | git-daemon.socket |
4 Inward-facing sockets
socket | protocol | unit | |
---|---|---|---|
TCP4/6:localhost.localdomain:2812 | HTTP | monit.service | |
TCP4:localhost.localdomain:5432 | pgsql | postgresql.service | |
TCP4/6:localhost.localdomain:5582 | telnet | prosody.service | |
unix:/run/mailman-fcgi.sock | FastCGI | mailman-fcgi.socket | |
unix:/run/uwsgi/labs.sock | uwsgi | uwsgi@labs.socket | |
unix:/run/uwsgi/parabolaweb.sock | uwsgi | uwsgi@parabolaweb.socket | |
unix:/run/uwsgi/projects.sock | uwsgi/modifier1=9 | uwsgi@projects.socket | |
unix:/run/uwsgi/repo.sock | uwsgi/modifier1=14 | uwsgi@repo.socket | |
unix:/run/dovecot/... | misc | dovecot.service | |
unix:/var/spool/postfix/private/auth | Dovecot SASL | dovecot.service | |
unix:/var/spool/postfix/private/* | misc | postfix.service | |
System stuff | |||
unix:/run/dbus/systemd_bus_socket | D-Bus | dbus.socket | |
unix:/run/lvm/lvmetad.socket | ??? | lvm2-lvmetad.socket | |
unix:/run/udev/control | ??? | systemd-udev-control.socket | |
unix:/run/systemd/... | misc | misc | |
unix:/run/user/${UID}/{bus,systemd/{notify,private}} | misc | user@${UID}.service |
5 Other running services of note
- dovecot.service
- mailman.service
- parabolaweb-reporead-inotify.service
6 Nginx "servers"
server_name | HTTP | HTTPS |
---|---|---|
Simple redirects | ||
* | return 301 https://$host$request_uri; | return 301 https://www.parabola.nu/404; |
parabolagnulinux.org | N/A | return 301 https://www.parabola.nu$request_uri; |
*.parabolagnulinux.org | N/A | return 301 https://$subdomain.parabola.nu$request_uri; |
list.parabolagnulinux.org | N/A | return 301 https://lists.parabola.nu$request_uri; |
parabola.nu | N/A | return 301 https://www.parabola.nu$request_uri |
Websites | ||
www.parabola.nu | N/A | Serve /static/, /favicon.ico, /robots.txt,and /img/ statically, redirect /https to /, and hand everything else off to uWSGI |
labs.parabola.nu | N/A | Redirect / to /projects; use uWSGI |
lists.parabola.nu | N/A |
|
projects.parabola.nu | N/A | Serve cgit via uWSGI |
repo.parabola.nu | N/A | Serve the union of /srv/repo/main and /srv/repo/http, using repoindex.php (via uWSGI) for indexes. |
wiki.parabola.nu | N/A | Serve MediaWiki via uWSGI (https://lukeshu.com/blog/nginx-mediawiki.html) |
pur.parabola.nu | N/A | TODO |
redirector.parabola.nu | N/A | TODO |
repomirror.parabola.nu | N/A | TODO |
7 Mail configuration
Postfix's postscreen handles port 25 enforcing the pregreet test, checks SPF records via python2-postfix-policyd-spf
, the mail is delivered via Dovecot deliver. Both deliver and the daemon need to be of the same version, so restarting the daemon after an update is needed.
Mailman handles the lists, with Postfix integration via a virtual address map. Use /usr/lib/mailman/bin/newlist
to add a list.
8 Configuration things
There used to be several symlinks added to /var to keep things in sane places, but they have been replaced by bind mounts in /etc/fstab, because the symlinks confused pacman.
/var/lib/mailman -> ../../srv/mailman /var/lib/mysql -> ../../srv/sql/mysql /var/lib/postgres -> ../../srv/sql/postgres /var/spool/cron -> ../../etc/cron.spool
That is, nothing of consequence and needing to be backed up should live anywhere but /srv or /etc. Maybe /home for personal stuff.