Changes between Version 1 and Version 2 of schleuder-setup


Ignore:
Timestamp:
Feb 7, 2017, 12:02:36 AM (4 years ago)
Author:
JaimeV
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • schleuder-setup

    v1 v2  
    1313
    1414=== No recommends ===
    15 Make sure all subsequent package instals with apt default to using the '''--no-install-recommends''' preference by adding a line to apt.conf
     15Make sure all subsequent package installs with apt default to using the '''--no-install-recommends''' preference by adding a line to apt.conf
    1616
    1717{{{0 herman:~# echo 'APT::Install-Recommends "0";' >> /etc/apt/apt.conf}}}
     
    5555{{{ 0 herman:~# apt install gnupg/unstable schleuder-cli/unstable schleuder/unstable }}}
    5656
    57 Omitting the emacs-nox package and its's dependencies that aren't essential here the above setup should give us a package list very close to what is on herman now.
     57At this point the above setup should give us a package list very close to what is on herman now with the exception of the emacs-nox package and its dependencies.
    5858
    5959=== Networking ===
     
    180180In the master.cf this line {{{schleuder_destination_recipient_limit = 1}}} means, "if a message comes in headed for the schleuder transport and it is headed for multiple recipients, feed it to each of them separately, one at a time." {{{compatibility_level = 2}}} just disables backwards compatibility.
    181181
    182 === Dedicated user for schleuder-cli ===
    183 
    184 Create a separate "schleuder-mgmt" user that is able to talk to the API but doesn't have r/w access to the sqlitedb
     182
     183=== Schleuder configuration ===
     184
     185Lots of useful information in [https://schleuder.nadir.org/docs/| Schleuder3's official documentation].
     186
     187The following commands and file edits should be performed under the dedicated schleuder user created by the installer.
     188
     189{{{
     1900 root@herman:~# su - schleuder -s /bin/bash
     191}}}
     192 
     193Schleuder reads its basic settings from a file that it by default expects at {{{/etc/schleuder/schleuder.yml}}}  The only initial change from the default settings that has been made there on herman is to comment out the default keyserver.
     194{{{#keyserver: pool.sks-keyservers.net}}}
     195
     196The Schleuder API is provided by schleuder-api-daemon. Configuration clients (schleuder-web, schleuder-cli) use it to access information about lists, subscriptions, and keys. schleuder-api-daemon uses transport encyrption (TLS) for all connections. The required TLS-certifcates should have been generated during the setup (schleuder install) but can be regenerated if necessary by running the following command as schleuder user: {{{schleuder cert generate}}}
     197
     198In order to verify the connection, each client needs to know the fingerprint of the API-certificate. Execute the following command to receive the fingerprint of the current cert.
     199
     200{{{schleuder@herman:~$ schleuder cert fingerprint}}}
     201
     202The Schleuder API uses API-keys to authenticate clients. To enable a client to connect, their API-key must be added to the section valid_api_keys in Schleuder’s configuration file. You can generate new API-keys by executing the following command:
     203
     204{{{schleuder@herman:~$ schleuder new_api_key}}}
     205
     206''All current schleuder api keys should remain private. Always use secure channels to transport this information.''
     207
     208Add the new api key to file {{{/etc/schleuder/schleuder.yml}}} below the directive {{{valid_api_keys:}}}
     209
     210{{{
     211valid_api_keys:
     212  - abcdef...
     213  - zyxwvu...
     214}}}
     215
     216Restart the schleuder api daemon as root to apply changes.
     217
     218{{{0 root@herman:~# systemctl restart schleuder-api-daemon}}}
     219
     220==== Dedicated user for schleuder-cli ====
     221
     222Create a separate "schleuder-manager" user that is able to talk to the API but doesn't have r/w access to the sqlitedb
     223
    185224{{{
    186225adduser schleuder-manager --gecos 'Schleuder Manager,,,' --disabled-password
    187226}}}
     227
     228Become the new user, create a new configuration file and ensure that only the schleuder-manager user has read and write access to this file.
     229
     230{{{
     2310 root@herman:~# su - schleuder-manager -s /bin/bash
     232schleuder-manager@herman:~$ touch /home/schleuder-manager/.schleuder-cli/schleuder-cli.yml
     233schleuder-manager@herman:~$ chmod 600 /home/schleuder-manager/.schleuder-cli/schleuder-cli.yml
     234}}}
     235
     236Edit this file with details for the connection of the schleuder-cli client to the schleuder-api-daemon including the tls fingerprint and api key retrieved above.
     237
     238{{{
     239host: localhost
     240port: 4443
     241tls_fingerprint: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     242api_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     243}}}
     244
     245''The api_key and tls fingerprint have been removed in this example and should not be public. Always use secure channels to transport this information.''
     246
     247Check that the schleuder-cli client is able to establish a connection to the api.
     248
     249{{{
     250schleuder-manager@herman:~$ schleuder-cli version -r
     2513.0.1
     252}}}
     253
     254Create an {{{.ssh/authorized_keys}}} file to allow authorized members of the support team to connect remotely and use the schleuder-cli.
     255
     256=== List creation and management ===
     257
     258Review the output of {{{schleuder-cli help}}}.