#REDIRECT [[Obsolete Service/BundleBin]]

Obsolete Service/BundleBin

2024-03-31T13:16:02Z

Bernie: Bernie moved page Service/BundleBin to Obsolete Service/BundleBin

{{Obsolete}}

Like a pastebin, but for properly formed activity bundles (<code>.xo</code>).
== Hostnames & Emails ==

[https://bundlebin.sugarlabs.org bundlebin.sugarlabs.org]

== Hosted On ==

[[Machine/justice|Freedom]] using docker & nginx

=== Ports ===

Bundle Bin App: 5000 (on freedom)

== Setup ==

Start the docker:

container.yml start /home/sam/bundlebin -d

Obsolete Service/BundleBin

2024-03-31T13:15:50Z

Bernie:

Service/obs

2024-03-31T13:14:55Z

Bernie: Bernie moved page Service/obs to Obsolete Service/obs

#REDIRECT [[Obsolete Service/obs]]

Obsolete Service/obs

2024-03-31T13:14:55Z

Bernie: Bernie moved page Service/obs to Obsolete Service/obs

{{Obsolete}}

== Hostnames ==

* obs.sugarlabs.org
* packages.sugarlabs.org
* sweets.sugarlabs.org

== Hosted on ==

[[Machine/jita]]

== Administrative contact ==

* obs AT sugarlabs DOT org

== Sysadmins ==

* [[User:alsroot|Aleksey Lim]]

== Notes ==

[http://build.opensuse.org/ OBS] instance with sugar related changes.

{| class="wikitable"
|-
!scope="row" | Home
|{{Code|/srv/obs}}
|-
!scope="row" | Daemon
|
{{Code|/etc/init.d/obs}} 
{{Code|/etc/init.d/obs-worker}}
|-
!scope="row" | Config
|
{{Code|/srv/obs/app/src/backend/BSConfig.pm}} 
{{Code|/srv/obs/app/src/api/config/}} 
{{Code|/srv/obs/app/src/webui/config/}}
|-
!scope="row" | Logs
|{{Code|/srv/obs/site/log}}
|-
!scope="row" | SSL certificates
|
{{Code|/etc/ssl/private/obs.sugarlabs.org.key}} 
{{Code|/etc/ssl/certs/obs.sugarlabs.org.pem}} 
{{Code|/etc/ssl/private/packages.sugarlabs.org.key}} 
{{Code|/etc/ssl/certs/packages.sugarlabs.org.pem}} 
|-
|}

{{Note/warning|Caution|Since python OBS clients can't handle SNI, default vhost needs to provide {{Code|obs.sugarlabs.org}} SSL certificate.}}

== Upgrade notes ==

{| class="wikitable"
!scope="row" | git
|
{{Code|/srv/obs/app}}
|-
|}

Packages:

apt-get install liblocal-lib-perl libio-compress-perl libnet-ssleay-perl createrepo cmake librpm-dev check

Gems:

su - obs
cd ~/app/src/api
rake gems:install

Perl modules:
cpan -i Socket/MsgHdr.pm

Build sat-solver:

su - obs
cd ~/app/src/backend/sat-solver
cmake . -DMULTI_SEMANTICS=1
make

Build BSSolv:

su - obs
cd ~/app/src/backend
perl Makefile.PL
make

== Hints ==

Delete download repository copies:

repos={}; Download.find_each {|i| repos[i.metafile] = [(repos.include?(i.metafile) ? repos[i.metafile] : 0), i.id].max}; Download.find_each {|i| i.delete if i.id != repos[i.metafile]}

2022-07-31T07:45:27Z

Bernie:

2022-07-31T07:31:09Z

Bernie:

== Administrative contact ==

To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org>

== Hostmasters ==

Current hostmasters are:

* [[User:Bernie|Bernie Innocenti]]

(please use preferably the administrative address)

== Registered nameservers ==

The following nameservers are currently registered in whois records for our domains:

{| class="wikitable" border="1"
|-
! hostname
! aka
! location
! IPv4
! IPv6
|-
! '''ns1.sugarlabs.org'''
| lightwave
| Sonic, Santa Rosa CA, USA
| 192.184.220.216
| 2001:5a8:601:f::216/64
|-
| ns2.sugarlabs.net
| sunjammer
| FSF, Boston, USA
| 208.118.235.53
| 2001:470:142:7::11
|-
| ns1.codewiz.org
| neo
| Develer, Firenze, Italy
| 2.228.72.10
| 2001:b02:400:1::10
|}

== Editing zone data ==

We use distributed version control and admin scripts to arbitrate edits to the zone files and nameserver configurations.
'''DO NOT EDIT THESE FILES DIRECTLY ON THE MASTER NAMESERVER, ANY CHANGES WILL BE OVERWRITTEN'''.

== Checkout nameserver config ==

Checkout the git repository containing the DNS zone data:

git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns

Do not checkout the repository as root. Your user on [[Machine/lightwave]] needs to be in group hostmaster.

In order to make changes, you will also need the private keys for your domain. For security reasons, these
are not kept on the master DNS itself. Ask one of the other hostmasters for a copy and put it in the keys/
directory alongside the public keys.

== Edit zone data ==

Guidelines for editing zones:

* Please keep the zone files tidy, by following indentation style
* Add comments as needed to describe obscure records in the zone files
* Remember to keep reverse zones always up to date
* '''Bump the serials after each update!''' (this is done automatically by our update-zone script)

== Push changes back to master nameserver ==

After you edited the sugarlabs.org zone, execute this script to re-sign the zone
and push your changes to the master DNS:

./update-sugarlabs

The script does:
* bump the serial number
* re-sign the zone with the DNSSEC private keys (which you must copy to keys/)
* commit your changes
* push the commit to the remote repository

The post-receive hook automates the rest of the procedure:
* send a notification email to systems-logs@
* checkout your changes to the bind configuration directory
* make BIND reload its configuration
* watch BIND's log file to ensure there are no errors and slaves are actually transferring the changed zones

For other domains hosted on Sugar Labs infrastructure (such as eg. somosazucar.org) use:

./update-zone turtleartday.org

This will check the zone before pushing.

== GIT repository implementation details ==

We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in <code>/var/lib/bind/etc/bind.git</code> and the working directory lives in <code>/var/lib/bind/etc/bind</code>. <code>/etc/bind</code> is a symlink to the working directory (<code>/var/lib/bind/etc/bind</code>).

See [[Sysadmin/Autocheckout repositories]] for all the implementation details.

== DNSSEC details ==

=== How to create keys for a new domain ===

We standardized on algorithm 13 (ECDSAP256SHA256) because it's what RFC 8624 recommends and what Cloudflare uses:

cd keys
dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE codewiz.org
dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE -f KSK codewiz.org

=== How to manually sign a zone ===
Normally, you should use the update-zone script

dnssec-signzone -S -e +31536000 -K keys -d keys -o codewiz.org masters/codewiz.org.zone
systemctl restart bind9

=== Add DS records to TLD ===

This step must be performed using the interface of the registrar (I used name.com).

The data to copy is written by dnssec-signzone to the file keys/dsset-DOMAIN and looks like this:

codewiz.org. IN DS 53631 13 2 C31F7790197F0DC5CE7726F731FA55A9189289540749A68A937BFD09 797D72E6

=== How to validate zone data ===

==== Online validators ====
* https://dnssec-analyzer.verisignlabs.com/codewiz.org
* https://dnsviz.net/d/codewiz.org/dnssec/

==== CLI tools ====

* Validate zone data with dig:
dig +dnssec +multiline -t ns codewiz.org. @1.1.1.1 | grep ad

* Validate zone data against domain DNSKEY:
$ unbound-host -y 'codewiz.org. DNSKEY 256 3 13 IbIcUsP+G7cnSmi12BpuiMjM9LnqvDaRS+qiquGKXxH/qAuOGlODFA4E 18O1OErfu0CkFjg6JEynOG6cSR40yg==' -v codewiz.org
codewiz.org has address 209.51.188.53 (secure)
codewiz.org has IPv6 address 2001:470:142:7::11 (secure)
codewiz.org mail is handled by 10 neo.develer.net. (secure)

* Validate zone data against a domain's DS key:
unbound-host -y 'codewiz.org. DS 53631 13 2 C31F7790197F0DC5CE7726F731FA55A9189289540749A68A937BFD09 797D72E6' -v codewiz.org

* Validate zone data against root DNSKEY:
unbound-host -D -y '. DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=' -v codewiz.org