micro
/
woodbine.nyc
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases Wiki Activity
infrastructure for woodbine's online presence
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
50 Commits
3 Branches
0 Tags
980 KiB
 
 
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
Go to file
Jonathan Dahan a32e0b201f
explain how to run locally on macOS 		1 year ago
data Web serving and authoring works! 2 years ago
scripts Add ps script 1 year ago
secrets talk about secrets management a little bit 2 years ago
services Specify latest version of zitadel and docker-duplicity 1 year ago
.gitignore Commit secrets generation, make some nice scripts 2 years ago
env.template fix some mail sending work 1 year ago
readme.md explain how to run locally on macOS 1 year ago

readme.md

community services for woodbine.nyc

Experiment in digital autonomy

Latest code is hosted on https://git.woodbine.nyc/micro/woodbine.nyc

If you are new to running your own websites, welcome!

Note that a "service" is a fuzzy name for software that is expected to be always running.

A simple web server (python3 -m http.server) could be a service, as could something like Gmail.

Goals

Understandable

  • a person should be able to adapt this to their community while learning the least amount of new concepts and technology
  • the person who set it up should not be needed to maintain the services

Resiliant

  • services should work even when other parts of the web are not accessible

Lean

  • we prefer lightweight software, which usually require less long-term maintenance

Decisions

There are many other kinds of digital autonomy, but most people are used to the web.

We hope to share our decision making here, so you can follow our thought process.

Decisions made for you

These needs are required for anyone who wants to deploy web-based services.

Auth

We need a way for people to either register an account or sign in with an external account to use the services.

After trying authelia, zitadel, authentik, and keycloak, got the furthest with zitadel.

Web

To host a webpage, you need some software that listens for http requests. We chose Caddy.

If you would like to edit the webpage, either change the files in ./data/web/site/ directly, or you can connect via WebDAV and edit the file remotely via https://web.localhost.

Backup

If you will be helping a community, its important to have backups and restore. We have two helper services, backup-files and backup-database.

These use duplicity to backup to a backblaze instance, so you will need to setup that beforehand.

Secrets

We have two helper services for making sure secrets exist (check-secrets), or generating unique secrets for other services that need them (generate-secrets).

getting started

setup

Make a backblaze B2 account for backups. Add the secrets to ./secrets/backup/.

Fill out env.template and make sure to pass it in the next command

running

Helper scripts can be found in the scripts directory

To start

./scripts/up

To stop, you can press ctrl+c, or in another terminal run

./scripts/down

To generate secrets for all services ahead-of-time

./scripts/generate-secrets

port forwarding

The caddy service expects to be able to bind to ports 80 and 443

One simple way is to allow unprivileged users access to these low ports

If you are on linux, you can run

$ sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80
$ echo 'net.ipv4.ip_unprivileged_port_start=80' | sudo tee -a /etc/sysctl.conf

The first command will set privileges until reboot. The second will make those privileges permanent.

If you are on macOS, using podman, you will want to run those commands in the linux virtual machine

$ podman machine ssh
core@localhost:~$ echo 'net.ipv4.ip_unprivileged_port_start=80' | sudo tee -a /etc/systctl.conf
core@localhost:~$ sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80

design

All the services are defined by docker compose files.

We provide backup-files, backup-database, check-secrets, and generate-secrets helper services.

We have configured Caddy to import all files found in /etc/caddy.d/, so if you want to add a new service, you will need to make a small Proxyfile to tell caddy what subdomain to forward to what port.

See the services readme for a guide on adding a new service.

roadmap

alpha

  • decide on single postgres instance or multiple
  • postgres backup (duplicity)
  • single sign-on for webdav (one user per folder)
  • single sign-on for one more service
  • identity provider (zitadel)
  • file backup (duplicity)
  • reverse proxy (caddy)
  • personal home pages (caddy-webdav)
  • setup notifications via smtp

beta

  • file restore
  • postgres restore
  • wiki
  • matrix server (dendrite)
  • mail server (stalwart or maddy)
  • mailing list (listmonk)
  • code forge (gitea or forgejo)

0.1

  • only expose 443, 587, 993
  • running on beta.woodbine.nyc
  • audit on secrets management
  • audit on mail server
  • audit on general architecture

credits

thank you https://hackerspace.zone