Operativa
Notes on building Hackerspace public and member services.
Contents
Common
1. Install basic stuff.
# yum install -y epel-release # yum install -y vim bash-completion wget
LDAP
Installation
# yum install -y openldap openldap-clients openldap-servers
Service
1. Enable and start service.
# systemctl enable slapd.service # systemctl start slapd.service
2. Check it actually works.
# systemctl status -l slapd.service
Configuration
1. Copy default DB_CONFIG.
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
2. Create a new admin password.
# slappasswd
3. Create an initial config in a file.
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=example,dc=org" read by * none dn: olcDatabase={2}bdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=org - replace: olcRootDN olcRootDN: cn=admin,dc=example,dc=org - add: olcRootPW olcRootPW: {SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd
4. And use it.
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f openldap_initial.ldif
Schema
1. Create an ldif file with the schema.
# example.org dn: dc=example,dc=org dc: example objectClass: dcObject objectClass: organizationalUnit ou: example.org # People dn: ou=People,dc=example,dc=org objectClass: organizationalUnit ou: People
2. And use it.
# ldapmodify -x -W -D cn=admin,dc=example,dc=org -a -f schema.ldif
Users
1. Create a new user.
dn: uid=test,ou=People,dc=example,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount mail: username@example.gr cn: username example sn: example givenName: username uid: test uidNumber: 99 gidNumber: 12 homeDirectory: /Maildir/test userPassword: test
Status
1. Display entire config.
# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
Nginx
Installation
# yum -y install nginx certbot
Initial Configuration
1. Edit nginx.conf. Remove server block and turn access logs off.
access_log off;
2. Create ssl.conf under conf.d.
# https://wiki.mozilla.org/Security/Server_Side_TLS ssl_dhparam /etc/ssl/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK'; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; add_header Strict-Transport-Security "max-age=31536000";
3. Create dhparam.
openssl dhparam -out /etc/ssl/dhparam.pem 2048
4. Create a default.conf under conf.d with minimal settings, and include all desired subdomains.
server { listen [::]:80; listen 80; server_name example.org www.example.org conf.example.org; root /var/www/default/; index index.html; }
Service
1. Test the configuration.
# nginx -t
2. Enable and start service.
# systemctl enable nginx.service # systemctl start nginx.service
Certificates
1. Create certificates, including all subdomains
certbot --agree-tos --email ping@example.org -a webroot -w /var/www/default/ -d example.org -d www.example.org -d conf.example.org certonly
Final configuration
1. Edit default.conf to make it https-only.
server { listen [::]:80; listen 80; server_name example.org www.example.org; return 301 https://$server_name$request_uri; } server { listen [::]:443 ssl; listen 443 ssl; server_name www.example.org; return 301 https://$server_name$request_uri; ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; } server { listen [::]:443 ssl; listen 443 ssl; server_name example.org; root /var/www/default/; index index.html; ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; }
2. Test the configuration.
# nginx -t
3. Reload nginx.
# nginx -s reload
Jabber
Installation
# yum -y install prosody