The Doctor's to-do list: Difference between revisions

Stuff will be stricken out as I finish it. If anyone wants to jump in and help me with this, by all means do so, just put your initials at the end so I know who did what.

In no particular order, this is the stuff I want to accomplish over Labor Day weekend:

• The build configuration in the .Slackbuild for nginx is already pretty much what we need.
  • I used the following command line to force nginx to use a custom pseudouser and pseudogroup rather than nobody and nobody (respectively): NGINXUSER=nginx NGINXGROUP=nginx ./nginx.SlackBuild
  • A user and group called 'nginx' will have to be created in the OS before this will work. This is to sandbox the daemon more effectively.
  • The /etc/nginx/nginx.conf file will have to be modified. I'll check that into Git as well.
  • Need to create two directories, /etc/nginx/apps (for active web apps) and /etc/nginx/offline_apps (self explanatory) in the .Slackbuild.
  • Need to create /srv/nginx in the .Slackbuild for the web apps to go into.
    • /srv/nginx/root is for the /index.php script
    • /srv/nginx/<app> is for web apps
    • Owned by nginx.nginx, mod 0755.
  • Due to how the tgz-to-xzm conversion process works, doinst.sh is not called, so there are some steps that we have to be done by the .Slackbuild script.
• Test that particular build of nginx against a couple of PHP apps.
• Build nginx packages and check them into SVN.
• Figure out a good PHP build configuration that
  • for optimal FastCGI compatibility, needs to be >= v5.3.3. We've got this covered with the .Slackbuild for Slackware v13.37.
  • runs under FastCGI
  • more FastCGI
  • includes SQLite
  • includes MySQL
• Test that particular build of PHP against a couple of apps.
• Write a .Slackbuild script for new version of PHP with the configuration I work out. There's a bug in v5.3.6 in that it won't build without LDAP support.
• Build PHP packages and check them into SVN.
  • Use the Slackware v.13.37 .Slackbuild script as a base
  • ./configure options I'm using for testing before packaging:
    • --enable-fpm --enable-mbstring --disable-pdo --with-curl --disable-debug --disable-rpath --enable-inline-optimization --with-bz2 --with-zlib --enable-sockets --enable-sysvsem --enable-sysvshm --enable-pcntl --enable-mbregex --enable-zip --with-pcre-regex --with-openssl --with-mysql --with-mysql-sock=/var/run/mysql/mysql.sock --with-mysqli --enable-sqlite-utf8 --prefix=/usr --with-gmp --enable-intl --with-xsl --enable-zip --without-ldap --with-mcrypt
  • Need to rewrite the destination for the module in the .Slackbuild because we're building against nginx and not Apache. The .Slackbuild is going to require serious modifications.
  • Need to configure so that it's
    • optimized for small-ish systems
    • hardened!
      • [1]
      • [2]
      • [3]
• Set up an account on the Porteus forums and post the link to our SVN repo.
• Develop a configuration for nginx that
  • is lightweight
  • somewhat optimized
  • modular, so that each app has its own included config file
  • hardened

• Official Slackware g package
  • Default webroot is /srv/httpd/htdocs.
  • Will need to rework module to clear out /var/www. We won't need that stuff.
  • Custom config files are a given. I guess this pushes us back to using separate config files for each app.
  • Comment out authn*, authz*, dumpio_module, ldap_module, usertrack_module, proxy*, dav_module, status_module, cgi_module, status_module, cgi_module, dav_fs_module, vhost_alias_module, imagemap_module, userdir_module in /etc/httpd/httpd.conf.
  • Uncomment ssl_module.
  • Disable logging when everything is working.
  • Delete /srv/httpd/cgi-bin?
  • Look into setting up mod_chroot. There is an package on slackbuilds.org that could be built and converted.
    • A problem is that it'll need to be reconfigured or hacked to use a different webroot directory.
  • Look into setting up mod_evasive. It's an anti-DoS, anti-bruteforce module.
• Official Slackware PHP package.
  • php.ini - need to turn log_errors, ignore_repeated_errors off.
  • Look through the list of extensions in php.ini and turn all of the unnecessary ones off.
    • calendar, ldap.
      • Is SQLite enabled? Check on this.

• Write a web app for the control panel that
  • Can start and stop nginx on demand
  • store its configuration in a database
  • move sub-config files for nginx that represent PHP apps into and out of the /etc/nginx/conf.d directory
  • force nginx to reload its config files every time an app is (de-)configured
    • /usr/sbin/nginx -s reload
• Get OpenSSL working in nginx
• Write an initscript that
  • checks for the presence of a node's SSL cert in /etc/nginx (the default)
  • terminates if one is found
• Set Porteus up to set its hostname to the IPv6 address of the primary wireless interface of the node.
• Write a PHP app that
  • displays a "Hello, User!" message
  • displays links to apps hosted on the node which happen to be active
  • removes links to apps hosted on the node that are deactivated
    • I don't know PHP... can we find someone who does?
    • Would have to reference the SQLite database which keeps track of the active and inactive web apps and modifies the output accordingly
  • has to be mobile-friendly
• Install crypto.cat on my development instance
  • requires PHP
  • will need its UI tweaked to be more mobile-friendly
  • Create a crypto.cat Porteus package and check it into SVN
• Install etherpad-lite on my development instance
  • requires node.js, for which there exists a Slackpack
    • build a Slackpack of node.js, convert into Porteus package, check everything into SVN
  • write an initscript that can start up crypto.cat when called but not at boot
  • will have to be controlled by the control panel, store its configuration in a database
  • write a sub-config file for nginx that passes through the /pad URL to localhost:9001
  • requires NPM
    • that will need to be packaged and checked in separately, I think.
    • run it in verbose mode to keep an eye on it
    • if it installs more stuff, we should bundle the whole mess into the NPM Porteus package
  • really should run as an unprivileged user
  • really should listen on the loopback interface only
  • pay attention to the reverse-proxy howto for nginx!
  • have to start it by hand a few times to figure out how to automate and package it
• install status.net on my development instance
  • requires PHP, MySQL
  • nginx must have URL rewriting available
  • PHP must have support for Curl, XMLwriter, MySQL, GD, mbstring, gettext (all required for status.net), SQLite (to read configuration databases)
  • nginx installation instructions!
  • These are what I used
    • Note that these are command-line installation instructions! If you try to do this with a web browser it WILL NOT WORK!
  • will need to pre-configure it for security and usability
  • need to make the mobile skin the default and erase the others to free up disk space
  • will need to write a sub-config file for nginx
  • configure for longer messages - 560 characters? 700 characters?
  • configure to make it easy to set up accounts on a node - no e-mail verification
  • enable image upload and display
• Write a dependency manager for apps
  • some web apps require MySQL, some don't
  • only start MySQL if it's not running already for the ones that don't
• Write a web app that (de-)configures gateway mode for babeld. I think it's a matter of pushing a route to 0.0.0.0 or not, have to read up on it.
• Installed the pre-converted MySQL Porteus package from the distro-download archive.
  • Need to pre-configure MySQL for small-ish systems
  • Need to pre-harden MySQL
  • Change the default password to something else.
  • Need to pre-create accounts, databases for all web apps and give them strong passwords. They need to be ready to go when they're started up.
• Harden /etc/sysctl.conf!