The Doctor's to-do list: Difference between revisions
From HacDC Wiki
No edit summary |
No edit summary |
||
(11 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
Stuff will be <strike>stricken out</strike> as I finish it. If anyone wants to jump in and help me with this, by all means do so, just put your initials at the end so I know who did what. | Stuff will be <strike>stricken out</strike> as I finish it. If anyone wants to jump in and help me with this, by all means do so, just put your initials at the end so I know who did what. | ||
In no particular order, this is the stuff I want to accomplish | In no particular order, this is the stuff I want to accomplish: | ||
* <strike>[http://carroll.cac.psu.edu/pub/linux/distributions/slackware/slackware-13.37/slackware/n/ Official Slackware g package]</strike> | * <strike>[http://carroll.cac.psu.edu/pub/linux/distributions/slackware/slackware-13.37/slackware/n/ Official Slackware g package]</strike> | ||
** <strike>Default webroot is /srv/httpd/htdocs.</strike> | ** <strike>Default webroot is /srv/httpd/htdocs.</strike> | ||
** Will need to rework module to clear out /var/www. We won't need that stuff. | ** Will need to rework module to clear out /var/www. We won't need that stuff. | ||
** Custom config files are a given. I guess this pushes us back to using separate config files for each app. | ** <strike>Custom config files are a given. I guess this pushes us back to using separate config files for each app.</strike> | ||
** Comment out authn*, authz*, dumpio_module, ldap_module, usertrack_module, proxy*, dav_module, status_module, cgi_module, status_module, cgi_module, dav_fs_module, vhost_alias_module, imagemap_module, userdir_module in /etc/httpd/httpd.conf. | ** Comment out authn*, authz*, dumpio_module, ldap_module, usertrack_module, proxy*, dav_module, status_module, cgi_module, status_module, cgi_module, dav_fs_module, vhost_alias_module, imagemap_module, userdir_module in /etc/httpd/httpd.conf. | ||
** <strike>Uncomment ssl_module.</strike> | ** <strike>Uncomment ssl_module.</strike> | ||
Line 18: | Line 18: | ||
** Look through the list of extensions in php.ini and turn all of the unnecessary ones off. | ** Look through the list of extensions in php.ini and turn all of the unnecessary ones off. | ||
*** calendar, ldap. | *** calendar, ldap. | ||
* Set Porteus up to set its hostname to the IPv6 address of the primary wireless interface of the node. | * Set Porteus up to set its hostname to the IPv6 address of the primary wireless interface of the node. | ||
Line 38: | Line 29: | ||
** has to be mobile-friendly | ** has to be mobile-friendly | ||
* <strike>Install [https://github.com/Pita/etherpad-lite etherpad-lite] on my development instance</strike> | |||
** <strike>[http://slackbuilds.org/repository/13.37/network/node/ requires node.js, for which there exists a Slackpack]</strike> | |||
*** <strike>build a Slackpack of node.js, convert into Porteus package, check everything into SVN</strike> | |||
** <strike>write an initscript that can start up Etherpad-lite when called by the control panel</strike> | |||
** <strike>will have to be controlled by the control panel, store its configuration in a database</strike> | |||
** <strike>write a sub-config file for Apache that passes through the /pad URL to localhost:9001</strike> | |||
** [http://slackbuilds.org/repository/13.37/network/node/ requires node.js, for which there exists a Slackpack] | ** <strike>requires [http://npmjs.org NPM]</strike> | ||
*** build a Slackpack of node.js, convert into Porteus package, check everything into SVN | *** <strike>that will need to be packaged and checked in separately, I think.</strike> | ||
** write an initscript that can start up | *** <strike>run it in verbose mode to keep an eye on it</strike> | ||
** will have to be controlled by the control panel, store its configuration in a database | *** <strike>if it installs more stuff, we should bundle the whole mess into the NPM Porteus package</strike> | ||
** write a sub-config file for Apache that passes through the /pad URL to localhost:9001 | ** <strike>really should run as an unprivileged user</strike> | ||
** requires [http://npmjs.org NPM] | ** <strike>pay attention to the [https://github.com/Pita/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy reverse-proxy howto]</strike> | ||
*** that will need to be packaged and checked in separately, I think. | ** <strike>have to start it by hand a few times to figure out how to automate and package it</strike> | ||
*** run it in verbose mode to keep an eye on it | |||
*** if it installs more stuff, we should bundle the whole mess into the NPM Porteus package | |||
** really should run as an unprivileged user | |||
** | |||
** have to start it by hand a few times to figure out how to automate and package it | |||
* install status.net on my development instance | * <strike>install status.net on my development instance</strike> | ||
** <strike>requires PHP, MySQL</strike> | ** <strike>requires PHP, MySQL</strike> | ||
** <strike>PHP must have support for Curl, XMLwriter, MySQL, GD, mbstring, gettext (all required for status.net), SQLite (to read configuration databases)</strike> | ** <strike>PHP must have support for Curl, XMLwriter, MySQL, GD, mbstring, gettext (all required for status.net), SQLite (to read configuration databases)</strike> | ||
** will need to pre-configure it for security and usability | ** will need to pre-configure it for security and usability | ||
** Need to hack the | ** <strike>Need to hack the mnml theme to be more mobile friendly.</strike> | ||
** Delete the unneeded themes and add-ons | ** Delete the unneeded themes and add-ons to save space, reduce potential attack surface. | ||
** Add-ons are not enabled by default. To turn one on you have to manually edit config.php and add lines for each one. This is moderately safe. Consider making config.php read-only with instructions for editing it later? | |||
** <strike>will need to write a sub-config file for Apache</strike> | ** <strike>will need to write a sub-config file for Apache</strike> | ||
** <strike>configure for longer messages - 560 characters?</strike> | ** <strike>configure for longer messages - 560 characters?</strike> | ||
** configure to make it easy to set up accounts on a node - no e-mail verification | ** configure to make it easy to set up accounts on a node - no e-mail verification | ||
** enable image upload and display | ** <strike>enable image upload and display</strike> | ||
** There is a subtle problem: the hostname of the node ($config['site']['server'] = 'name of node here';) must be set correctly in config.php for themes to display properly. However, this requires that the clients have working DNS, which means three things: | |||
*** <strike>DNS (dnsmasq) must be functional on the node.</strike> | |||
*** <strike>Clients must have hostnames configured by the node.</strike> | |||
*** <strike>Clients must have DNS configured as the node it got its information from so that hostnames can be resolved properly.</strike> | |||
* | * <strike>Write a web app that (de-)configures gateway mode for babeld. I think it's a matter of pushing a route to 0.0.0.0 or not, have to read up on it.</strike> | ||
* <strike>Installed the pre-converted MySQL Porteus package from the distro-download archive.</strike> | * <strike>Installed the pre-converted MySQL Porteus package from the distro-download archive.</strike> | ||
** Need to pre-configure MySQL for small-ish systems | ** <strike>Need to pre-configure MySQL for small-ish systems</strike> | ||
** Need to pre-harden MySQL | ** <strike>Need to pre-harden MySQL</strike> | ||
** Change the default password to something else. | ** Change the default password to something else. | ||
** Need to pre-create accounts, databases for all web apps and give them strong passwords. They need to be ready to go when they're started up. | ** Need to pre-create accounts, databases for all web apps and give them strong passwords. They need to be ready to go when they're started up. | ||
* Harden /etc/sysctl.conf! | * Harden /etc/sysctl.conf! | ||
* In /network/wireless, do some kind of "please wait, this could take a while" popup. | |||
[[Category:Byzantium]] |
Latest revision as of 03:29, 4 April 2012
Stuff will be stricken out as I finish it. If anyone wants to jump in and help me with this, by all means do so, just put your initials at the end so I know who did what.
In no particular order, this is the stuff I want to accomplish:
Official Slackware g packageDefault webroot is /srv/httpd/htdocs.- Will need to rework module to clear out /var/www. We won't need that stuff.
Custom config files are a given. I guess this pushes us back to using separate config files for each app.- Comment out authn*, authz*, dumpio_module, ldap_module, usertrack_module, proxy*, dav_module, status_module, cgi_module, status_module, cgi_module, dav_fs_module, vhost_alias_module, imagemap_module, userdir_module in /etc/httpd/httpd.conf.
Uncomment ssl_module.- Disable logging when everything is working.
/srv/httpd and /srv/www are symlinks to /var/www. Oh, well.- Look into setting up mod_chroot. There is an package on slackbuilds.org that could be built and converted.
- Look into setting up mod_evasive. It's an anti-DoS, anti-bruteforce module.
Official Slackware PHP package.- php.ini - need to turn log_errors, ignore_repeated_errors off.
- Look through the list of extensions in php.ini and turn all of the unnecessary ones off.
- calendar, ldap.
- Set Porteus up to set its hostname to the IPv6 address of the primary wireless interface of the node.
- Write a PHP app that
- displays a "Hello, User!" message
- displays links to apps hosted on the node which happen to be active
- removes links to apps hosted on the node that are deactivated
- I don't know PHP... can we find someone who does? Brad?
- Would have to reference the SQLite database which keeps track of the active and inactive web apps and modifies the output accordingly
- has to be mobile-friendly
Install etherpad-lite on my development instancerequires node.js, for which there exists a Slackpackbuild a Slackpack of node.js, convert into Porteus package, check everything into SVN
write an initscript that can start up Etherpad-lite when called by the control panelwill have to be controlled by the control panel, store its configuration in a databasewrite a sub-config file for Apache that passes through the /pad URL to localhost:9001requires NPMthat will need to be packaged and checked in separately, I think.run it in verbose mode to keep an eye on itif it installs more stuff, we should bundle the whole mess into the NPM Porteus package
really should run as an unprivileged userpay attention to the reverse-proxy howtohave to start it by hand a few times to figure out how to automate and package it
install status.net on my development instancerequires PHP, MySQLPHP must have support for Curl, XMLwriter, MySQL, GD, mbstring, gettext (all required for status.net), SQLite (to read configuration databases)- will need to pre-configure it for security and usability
Need to hack the mnml theme to be more mobile friendly.- Delete the unneeded themes and add-ons to save space, reduce potential attack surface.
- Add-ons are not enabled by default. To turn one on you have to manually edit config.php and add lines for each one. This is moderately safe. Consider making config.php read-only with instructions for editing it later?
will need to write a sub-config file for Apacheconfigure for longer messages - 560 characters?- configure to make it easy to set up accounts on a node - no e-mail verification
enable image upload and display- There is a subtle problem: the hostname of the node ($config['site']['server'] = 'name of node here';) must be set correctly in config.php for themes to display properly. However, this requires that the clients have working DNS, which means three things:
DNS (dnsmasq) must be functional on the node.Clients must have hostnames configured by the node.Clients must have DNS configured as the node it got its information from so that hostnames can be resolved properly.
Write a web app that (de-)configures gateway mode for babeld. I think it's a matter of pushing a route to 0.0.0.0 or not, have to read up on it.
Installed the pre-converted MySQL Porteus package from the distro-download archive.Need to pre-configure MySQL for small-ish systemsNeed to pre-harden MySQL- Change the default password to something else.
- Need to pre-create accounts, databases for all web apps and give them strong passwords. They need to be ready to go when they're started up.
- Harden /etc/sysctl.conf!
- In /network/wireless, do some kind of "please wait, this could take a while" popup.